MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d
SHA3-384 hash: 2eccb1b8edf6a3e13193eee8501e1c9ef9ed194c9c405eecddfa7b7e04ce0a0e667540df1faf172f2b464f49c06f07d5
SHA1 hash: 17c90eb4cb9dd21cc3d71a2b489922ed2e855d48
MD5 hash: 89eff88c392738c3147df1e05ce04e56
humanhash: nebraska-oven-wyoming-oregon
File name:DocOpen.exe
Download: download sample
Signature MarsStealer
Create hunting rule
File size:16'015'360 bytes
First seen:2023-09-04 06:18:15 UTC
Last seen:2023-09-04 06:38:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 393216:SOBuveXECWgaHfmwCUKBvdr7ZugJL2qk0F8kZr5VhDQQVGImwNP:SOmedyf1FKBeQqqF9ZrrJTr
Threatray 200 similar samples on MalwareBazaar
TLSH T199F6CF6A02F945D3E95E4274AF12653DCCDA8EC33E9EDF92975B3A2490FB23C2474421
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 9271f0d4e8cce8f8 (2 x AllcomeClipper, 1 x MarsStealer)
Reporter 0xToxin
Tags:89-23-96-203 exe MarsStealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
282
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DocOpen.exe
Verdict:
Malicious activity
Analysis date:
2023-09-04 06:22:54 UTC
Tags:
stealc stealer loader
Link:
https://app.any.run/tasks/1f7da287-e6f0-49f1-8bef-cee347df3e35

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.2161.7278.10644.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer obfuscated packed packed smartassembly
Link:
https://www.filescan.io/uploads/64f576dc67511af1a1b42e2c/reports/edde690c-66a1-4cbb-bdba-b2476f114870/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d
Result
Verdict:
MALICIOUS
Malware family:
Oski Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/06c5f4ec-3e89-4106-b933-fb2ab1483b02
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1302636
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-04 06:19:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sr33lahksn7upzkltvvqejqxylsqr67nf52pnlb62vghqyn7rmwq._file
Verdict:
malicious
Similar samples:
7083e4774a68e23dd2f9239e5108f6615ff945a0673e7e975ab2ca2d4cb297d3
MarsStealer
86d03db5bc38058981a38f02f81530fd8fabb10d2911377ecdee221cc525c63a
MarsStealer
b63d41c60aa52cae9806a4fe233d9a55b0c2dfdc67f215ab66c660503cc1a5f3
MarsStealer
b71f9dbd9296b5c598a2f9c5bc45c73baa00dbe19520a5dbe812e8975d7c62f3
MarsStealer
c19be545bf9f627cb8a1230df7d754b04aa53979aa52043a18bd3e708faaea09
MarsStealer
d87502f99648aac5100598129fd31648afb3dce99bfaf4274dce3997c1bfa6d7
MarsStealer
e007c47e0d8481bc55c96cf726690770e50211b8087b4674f9dee04f51bc6a17
MarsStealer
+ 190 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:7467184535265712328301517570 discovery spyware stealer
Link:
https://tria.ge/reports/230904-g27heseb5z/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Stealc
Malware Config
C2 Extraction:
http://193.42.32.99
Unpacked files
SH256 hash:
038a54d0e765a4c93175d4e61a4c76fb9267d5120fdfa0f634e5bfdbcdc58529
MD5 hash:
6c9aad043661d3aa5ac3ecd37529e5fe
SHA1 hash:
3de107e5ad4ae821137ca0182fb84aa6f0a8fddb
Link:
https://www.unpac.me/results/7d2a643f-0377-48e8-a75a-709e69f6cec2/
SH256 hash:
9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d
MD5 hash:
89eff88c392738c3147df1e05ce04e56
SHA1 hash:
17c90eb4cb9dd21cc3d71a2b489922ed2e855d48
Link:
https://www.unpac.me/results/7d2a643f-0377-48e8-a75a-709e69f6cec2/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9477b580ea93/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9477b580ea937f47e54b9d6b022617c2e508fbed2f74f6ac3ed54c7861bf8b2d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Mars_Stealer
Create hunting rule
Author:@malgamy12
Description:detect_Mars_Stealer
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments