MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



MarsStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments

SHA256 hash: 7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625
SHA3-384 hash: 1960615598e25ffa75f05662d5e15bf214d5d03041669191138b4d543e09d26ec392a95e05d5f5d1ce169bafdf005160
SHA1 hash: 64e85269651f0a475d0a94eb98cd3adbf3061e10
MD5 hash: 2e89a7aae558e9be86042e2bd7e65803
humanhash: juliet-network-queen-purple
File name:b123.exe
Download: download sample
Signature MarsStealer
File size:235'352 bytes
First seen:2022-03-22 22:49:38 UTC
Last seen:2022-03-23 00:55:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bae10aaa9e80d644f79420466068cc74 (1 x MarsStealer)
ssdeep 3072:iq0Je2P1VU4W3gwbBPWq3rZP55Zu3DtYyprz8gJy436s+OssN+uQSYftoyQ4tpvG:iq0rnURb0K742Ajx3qSYe94tpvURSYOc
Threatray 4'066 similar samples on MalwareBazaar
TLSH T1A834BF1B71289E36E4663B308EBF9539431AD2A7F234C157E13EEEF8F615091966CE10
File icon (PE):PE icon
dhash icon a4353232d5f9f4ec (1 x RedLineStealer, 1 x MarsStealer, 1 x ArkeiStealer)
Reporter @malware_traffic
Tags:exe Mars Stealer MarsStealer

Intelligence


File Origin
# of uploads :
2
# of downloads :
238
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
ID:
1
File name:
K3362p2954.doc
Verdict:
Malicious activity
Analysis date:
2022-03-22 01:48:37 UTC
Tags:
macros ole-embedded macros-on-open generated-doc encrypted evasion trojan loader stealer arkei vidar

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Sending an HTTP GET request
Creating a file
Reading critical registry keys
Changing a file
Creating a file in the %AppData% subdirectories
–°reating synchronization primitives
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
emotet greyware keylogger overlay packed virus zbot
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
CryptOne Vidar
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Threat name:
Win32.Trojan.GenSteal
Status:
Malicious
First seen:
2022-03-21 17:21:39 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Result
Malware family:
Score:
  10/10
Tags:
family:arkei botnet:default discovery spyware stealer suricata
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Arkei
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
Malware Config
C2 Extraction:
http://sughicent.com/blaka.php
Unpacked files
SH256 hash:
eb764591fb9e827a70b3ee575c6b301b5218e401505e5e2c848e7c30065a06dd
MD5 hash:
bebdee452d78300ceb4c6188298f2d56
SHA1 hash:
b2e87bd5594e12763434dc10a09ac90371589046
SH256 hash:
7022a16d455a3ad78d0bbeeb2793cb35e48822c3a0a8d9eaa326ffc91dd9e625
MD5 hash:
2e89a7aae558e9be86042e2bd7e65803
SHA1 hash:
64e85269651f0a475d0a94eb98cd3adbf3061e10
Malware family:
CryptOne
Verdict:
Malicious

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments