MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81dbad520f8f4d8163e02d7b01866918e8392bb549df2cb73f1b8148f6fd5b51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MarsStealer

Vendor detections: 10

Intelligence 10 IOCs YARA 15 File information Comments

SHA256 hash:	81dbad520f8f4d8163e02d7b01866918e8392bb549df2cb73f1b8148f6fd5b51
SHA3-384 hash:	8396f91c107547e049ad9b0c7c165ff9d4a146c98a5ccc5355fe7c5a6fb9306a6c82b17563d8dbf5acacb66db71df683
SHA1 hash:	b2dc4cda58699708a4ebfd31d2a7f5828718f1bc
MD5 hash:	c9bf7a5c92aef719f5f04eb70898b443
humanhash:	utah-cat-fanta-vermont
File name:	Doctors_Recommendation.scr
Download:	download sample
Signature	MarsStealer Create hunting rule
File size:	3'146'096 bytes
First seen:	2023-11-10 08:00:15 UTC
Last seen:	2023-11-10 09:18:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d70ea46027876c77926b7954dbffb9fa (1 x MarsStealer)
ssdeep	24576:Ku9FGdK/Ho7S+P6/i1iJq3TXC92REo4Q7hvgL:KZdKOS8sw8GRESFK
Threatray	41 similar samples on MalwareBazaar
TLSH	T1A9E5BF35A1618032E7F20173A928A135FE2CE51C37149A5EA2FCED1D79B8092E7F7617
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	74e4d4d4ecf4d4d4 (23 x GuLoader, 20 x LummaStealer, 19 x AgentTesla)
Reporter	JAMESWT_WT
Tags:	bookinggoogledrive exe MarsStealer VidarStealer

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.FileRepMalware.23305.30166.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Creating a file

Reading critical registry keys

Changing a file

Creating a file in the %AppData% subdirectories

Creating a window

Stealing user critical data

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

90%

Tags:

CAB control crypto expand greyware installer lolbin masquerade overlay packed runonce shell32

Link:

https://www.filescan.io/uploads/654de3442546bd423f158d67/reports/aeb8ccc3-c826-434a-a5bf-a3d3372622c9/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/81dbad520f8f4d8163e02d7b01866918e8392bb549df2cb73f1b8148f6fd5b51

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/184f26e8-3ffe-45a5-91b4-2fa93aa542e7

Result

Threat name:

Vidar

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1340407

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Uses known network protocols on non-standard ports

Yara detected Vidar

Yara detected Vidar stealer

Behaviour

Behavior Graph:

Download SVG

Score:

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/81dbad520f8f4d8163e02d7b01866918e8392bb549df2cb73f1b8148f6fd5b51

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/81dbad520f8f4d8163e02d7b01866918e8392bb549df2cb73f1b8148f6fd5b51/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qhn22uqpr5gycy7afv5qdbtjddudsk5vjhpsznz7doaur5x5lniq._file

Verdict:

malicious

MarsStealer

262197fe8d46924f519f7453f8e9b70b77450a743c108bce4adb5c72ef55538a

MarsStealer

304297cf4b97fed416f783c13df6b4718414e78ac9f07b7b0ad1ab9c528a57c7

MarsStealer

325b344b51be9049f5576e69b2fa7167e30716a8f28fc61c8ab0376438aeb804

MarsStealer

81dbad520f8f4d8163e02d7b01866918e8392bb549df2cb73f1b8148f6fd5b51

MarsStealer

8472954bef0d88549a13bc51e96800f4ef603cc15bf7ae8d15e07dfd28981eeb

MarsStealer

c988aa2a29c57038eb57a72cb7422de9b47b3e46b7adcd584af528a65fbd960c

MarsStealer

+ 31 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

discovery spyware stealer

Link:

https://tria.ge/reports/231110-jwjwaafe32/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks installed software on the system

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Downloads MZ/PE file

Unpacked files

SH256 hash:

80cbfb2da5d85d600462eb3e4afc50657cf9ab62e2c46958a054e7e3238c5fca

MD5 hash:

cf20b738c740262406eb6928bb908de0

SHA1 hash:

627e1e6b76525c596a3b371d9156d943fa2f7810

Link:

https://www.unpac.me/results/7941eb8d-82e1-4078-802a-613a26768a71/

SH256 hash:

81dbad520f8f4d8163e02d7b01866918e8392bb549df2cb73f1b8148f6fd5b51

MD5 hash:

c9bf7a5c92aef719f5f04eb70898b443

SHA1 hash:

b2dc4cda58699708a4ebfd31d2a7f5828718f1bc

Link:

https://www.unpac.me/results/7941eb8d-82e1-4078-802a-613a26768a71/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/81dbad520f8f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/81dbad520f8f4d8163e02d7b01866918e8392bb549df2cb73f1b8148f6fd5b51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Check_Dlls Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	has_telegram_urls Create hunting rule
Author:	Aaron DeVera<aaron@backchannel.re>
Description:	Detects Telegram URLs

Rule name:	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing non-Windows User-Agents

Rule name:	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL Create hunting rule
Author:	ditekSHen
Description:	Detects binaries and memory artifcats referencing sandbox DLLs typically observed in sandbox evasion

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample