MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f
SHA3-384 hash: 0a1413b1a2e3dab771015abdaf71e8cca8703026cd3f8ce2b74b97a0e2a219edd52d1f441c05e56a8b1ca2c66ee46c1b
SHA1 hash: 2c35193de065cddd48caf7f89aac2b7982e290eb
MD5 hash: 65ac7119b0308d5ccfb4cb8692d0ac2e
humanhash: oven-coffee-undress-four
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:2'079'744 bytes
First seen:2024-11-03 17:44:56 UTC
Last seen:2024-11-03 19:19:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:1hUNBb7D2Gq7+tiFm0N2tVIfZnfuFKre:eyB+tiFyIfZnfuFK
Threatray 1 similar samples on MalwareBazaar
TLSH T1D4A533CB5F033420F8D41532BF6721B297BE25BA1D7A42754C524E767FB0B86FA14868
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
26
# of downloads :
474
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-03 17:47:54 UTC
Tags:
lumma stealer themida loader stealc
Link:
https://app.any.run/tasks/3c519367-b273-4dd1-aa76-afee530fefbd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.28049.28659.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6727b6a78d23d9049133295a
Tags:
vmdetect autorun autoit spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6727b6a17aae57551a11d1a4/reports/cd9022f8-4208-459c-9189-55ab8ee19a71/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a053b78b-5496-42f8-be92-092a78825a5e
Result
Threat name:
LummaC, Amadey, Credential Flusher, Lumm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1548053
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548053 Sample: file.exe Startdate: 03/11/2024 Architecture: WINDOWS Score: 100 86 thumbystriw.store 2->86 88 steamcommunity.com 2->88 90 28 other IPs or domains 2->90 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Antivirus detection for dropped file 2->118 120 17 other signatures 2->120 9 file.exe 37 2->9         started        14 skotes.exe 3 26 2->14         started        16 f66e5b46ff.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 98 185.215.113.206, 49730, 49753, 80 WHOLESALECONNECTIONSNL Portugal 9->98 100 185.215.113.16, 49762, 55671, 80 WHOLESALECONNECTIONSNL Portugal 9->100 102 127.0.0.1 unknown unknown 9->102 70 C:\Users\user\DocumentsCBKJKJDBFI.exe, PE32 9->70 dropped 72 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->72 dropped 74 C:\Users\user\AppData\Local\...\random[1].exe, PE32 9->74 dropped 82 13 other files (9 malicious) 9->82 dropped 160 Detected unpacking (changes PE section rights) 9->160 162 Attempt to bypass Chrome Application-Bound Encryption 9->162 164 Drops PE files to the document folder of the user 9->164 174 9 other signatures 9->174 20 cmd.exe 1 9->20         started        22 chrome.exe 9->22         started        104 185.215.113.43, 55653, 55665, 80 WHOLESALECONNECTIONSNL Portugal 14->104 76 C:\Users\user\AppData\...\162806638f.exe, PE32 14->76 dropped 78 C:\Users\user\AppData\...\345cac1f30.exe, PE32 14->78 dropped 80 C:\Users\user\AppData\...\d69bc2ef41.exe, PE32 14->80 dropped 84 5 other malicious files 14->84 dropped 166 Creates multiple autostart registry keys 14->166 168 Hides threads from debuggers 14->168 170 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->170 25 f66e5b46ff.exe 14->25         started        28 d69bc2ef41.exe 13 14->28         started        30 162806638f.exe 14->30         started        32 345cac1f30.exe 14->32         started        106 founpiuer.store 172.67.133.135 CLOUDFLARENETUS United States 16->106 108 packagednyb.cyou 188.114.97.3 CLOUDFLARENETUS European Union 16->108 110 steamcommunity.com 104.102.49.254 AKAMAI-ASUS United States 16->110 172 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->172 34 firefox.exe 18->34         started        file6 signatures7 process8 dnsIp9 36 DocumentsCBKJKJDBFI.exe 4 20->36         started        40 conhost.exe 20->40         started        92 192.168.2.4, 443, 49723, 49724 unknown unknown 22->92 94 239.255.255.250 unknown Reserved 22->94 42 chrome.exe 22->42         started        96 necklacedmny.store 188.114.96.3 CLOUDFLARENETUS European Union 25->96 138 Antivirus detection for dropped file 25->138 140 Multi AV Scanner detection for dropped file 25->140 142 Detected unpacking (changes PE section rights) 25->142 158 2 other signatures 25->158 144 Machine Learning detection for dropped file 28->144 146 Tries to evade debugger and weak emulator (self modifying code) 28->146 148 Hides threads from debuggers 28->148 150 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->152 154 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 30->154 156 Binary is likely a compiled AutoIt script file 32->156 45 taskkill.exe 32->45         started        47 taskkill.exe 32->47         started        49 taskkill.exe 32->49         started        53 3 other processes 32->53 51 firefox.exe 34->51         started        signatures10 process11 dnsIp12 68 C:\Users\user\AppData\Local\...\skotes.exe, PE32 36->68 dropped 122 Antivirus detection for dropped file 36->122 124 Detected unpacking (changes PE section rights) 36->124 126 Machine Learning detection for dropped file 36->126 128 6 other signatures 36->128 55 skotes.exe 36->55         started        112 www.google.com 142.250.185.132, 443, 49734, 49735 GOOGLEUS United States 42->112 58 conhost.exe 45->58         started        60 conhost.exe 47->60         started        62 conhost.exe 49->62         started        64 conhost.exe 53->64         started        66 conhost.exe 53->66         started        file13 signatures14 process15 signatures16 130 Antivirus detection for dropped file 55->130 132 Detected unpacking (changes PE section rights) 55->132 134 Machine Learning detection for dropped file 55->134 136 5 other signatures 55->136
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-03 17:45:45 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tenclyzmrhbixzvy6xeehpdb3jzfzf3sbxpspwgilx73ibtvzyxq._file
Verdict:
suspicious
Label(s):
stealc
Create hunting rule
Similar samples:
991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f
MarsStealer
error
MarsStealer
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:tale credential_access discovery evasion spyware stealer
Link:
https://tria.ge/reports/241103-wbpx1sspfp/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/ca5cbfdb-fcde-4111-b9f2-fa4c3fe12050
Unpacked files
SH256 hash:
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
MD5 hash:
eda18948a989176f4eebb175ce806255
SHA1 hash:
ff22a3d5f5fb705137f233c36622c79eab995897
Link:
https://www.unpac.me/results/28815689-85f2-47bf-8c80-2bfb2b74b7c4/
SH256 hash:
c0b1771fafe0f238ed4c64d5765118c91706dc2f9757cbdf8e07ec61bcb143e0
MD5 hash:
791754c9f8243e02428a4f08f56010e8
SHA1 hash:
d5a441522418e38f7be7d86ed56b54ff2555825c
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
detect_Mars_Stealer
Create hunting rule
Link:
https://www.unpac.me/results/28815689-85f2-47bf-8c80-2bfb2b74b7c4/
SH256 hash:
991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f
MD5 hash:
65ac7119b0308d5ccfb4cb8692d0ac2e
SHA1 hash:
2c35193de065cddd48caf7f89aac2b7982e290eb
Link:
https://www.unpac.me/results/28815689-85f2-47bf-8c80-2bfb2b74b7c4/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/991a25e32c89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe 991a25e32c89c28be6b8f5c843bc61da725c97720ddf27d8c85dffb40675ce2f

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3079150/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments