MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd
SHA3-384 hash: 17105617814cd0eabc501c0b50618196c7b0d83e2ab9f03333a5f8ebdea2a4d91726ea6e3e8bf2276e7ebdbaff049917
SHA1 hash: 14378e009a4f05fe71df1600dd975d80201ec994
MD5 hash: 3fba342adc9a795c9c5f64b00ce01b74
humanhash: burger-don-sixteen-sink
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:1'876'992 bytes
First seen:2024-09-27 23:11:51 UTC
Last seen:2024-09-28 00:10:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:K8Ddwv5HafrA7siBwe6uiRkf9tefcy3v0tD4bAXnd7TTv2Z+FNVhrz/TlUyz0jFp:K/FaEoiBXj1G3cZ4C2Y1hrllz0yqhSK
TLSH T1C995332C72FB4018DAC467760A4961A87CEBA7D2D883F2357F54827EF13789D25C91B8
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://185.215.113.103/steam/random.exe

Intelligence

File Origin
# of uploads :
7
# of downloads :
395
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-27 23:12:45 UTC
Tags:
stealer stealc loader themida opendir amadey botnet
Link:
https://app.any.run/tasks/640d6a12-5891-4cd7-bafb-97a6634661c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.15370.12465.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f73bc479032805ce8ea692
Tags:
Execution Generic Infostealer Network Stealth Trojan Autorun Gumen Spam Lien
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a394cc69-91dd-4d77-ad6a-ce647739178f
Result
Threat name:
Amadey, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1520887
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Download and Execute IEX
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Suspicious PowerShell Download and Execute Pattern
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520887 Sample: file.exe Startdate: 28/09/2024 Architecture: WINDOWS Score: 100 150 Suricata IDS alerts for network traffic 2->150 152 Found malware configuration 2->152 154 Antivirus / Scanner detection for submitted sample 2->154 156 16 other signatures 2->156 11 file.exe 37 2->11         started        16 skotes.exe 2->16         started        18 0bb986841b.exe 2->18         started        20 5 other processes 2->20 process3 dnsIp4 124 185.215.113.103, 49705, 49706, 49707 WHOLESALECONNECTIONSNL Portugal 11->124 126 185.215.113.37, 49699, 80 WHOLESALECONNECTIONSNL Portugal 11->126 110 C:\Users\user\DocumentsAAAEBAFBGI.exe, PE32 11->110 dropped 112 C:\Users\user\AppData\...\softokn3[1].dll, PE32 11->112 dropped 114 C:\Users\user\AppData\Local\...\random[1].exe, PE32 11->114 dropped 120 11 other files (none is malicious) 11->120 dropped 166 Detected unpacking (changes PE section rights) 11->166 168 Drops PE files to the document folder of the user 11->168 170 Tries to steal Mail credentials (via file / registry access) 11->170 178 8 other signatures 11->178 22 cmd.exe 1 11->22         started        24 powershell.exe 15 18 11->24         started        26 powershell.exe 18 11->26         started        36 2 other processes 11->36 172 Hides threads from debuggers 16->172 174 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->174 176 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->176 128 127.0.0.1 unknown unknown 20->128 116 C:\Users\user\AppData\...\History-journal, data 20->116 dropped 118 C:\Users\user\AppData\Local\...\History, SQLite 20->118 dropped 28 msedge.exe 20->28         started        32 chrome.exe 20->32         started        34 chrome.exe 20->34         started        38 5 other processes 20->38 file5 signatures6 process7 dnsIp8 40 DocumentsAAAEBAFBGI.exe 4 22->40         started        44 conhost.exe 22->44         started        46 chrome.exe 24->46         started        55 2 other processes 24->55 57 3 other processes 26->57 130 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->130 132 20.96.153.111 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->132 134 21 other IPs or domains 28->134 122 C:\Users\user\AppData\Local\...\Cookies, SQLite 28->122 dropped 49 chrome.exe 32->49         started        51 chrome.exe 34->51         started        53 chrome.exe 36->53         started        59 3 other processes 36->59 file9 process10 dnsIp11 108 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->108 dropped 158 Detected unpacking (changes PE section rights) 40->158 160 Tries to evade debugger and weak emulator (self modifying code) 40->160 162 Tries to detect virtualization through RDTSC time measurements 40->162 164 3 other signatures 40->164 61 skotes.exe 40->61         started        144 192.168.2.7, 443, 49698, 49699 unknown unknown 46->144 146 192.168.2.4 unknown unknown 46->146 148 4 other IPs or domains 46->148 65 chrome.exe 46->65         started        67 chrome.exe 46->67         started        69 chrome.exe 46->69         started        71 chrome.exe 53->71         started        73 msedge.exe 55->73         started        75 chrome.exe 57->75         started        77 chrome.exe 59->77         started        file12 signatures13 process14 dnsIp15 136 185.215.113.43, 49736, 80 WHOLESALECONNECTIONSNL Portugal 61->136 180 Detected unpacking (changes PE section rights) 61->180 182 Creates multiple autostart registry keys 61->182 184 Tries to evade debugger and weak emulator (self modifying code) 61->184 186 3 other signatures 61->186 79 0bb986841b.exe 61->79         started        82 bd0759338a.exe 61->82         started        84 powershell.exe 61->84         started        86 4 other processes 61->86 138 142.250.184.206 GOOGLEUS United States 65->138 140 youtube.com 142.250.185.78, 443, 49714 GOOGLEUS United States 65->140 142 9 other IPs or domains 65->142 signatures16 process17 signatures18 188 Detected unpacking (changes PE section rights) 79->188 190 Tries to detect sandboxes and other dynamic analysis tools (window names) 79->190 192 Tries to evade debugger and weak emulator (self modifying code) 79->192 194 Hides threads from debuggers 82->194 196 Tries to detect sandboxes / dynamic malware analysis system (registry check) 82->196 198 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 82->198 88 conhost.exe 84->88         started        90 chrome.exe 84->90         started        92 msedge.exe 84->92         started        94 chrome.exe 86->94         started        96 chrome.exe 86->96         started        98 chrome.exe 86->98         started        100 5 other processes 86->100 process19 process20 102 chrome.exe 94->102         started        104 chrome.exe 96->104         started        106 chrome.exe 98->106         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd/
Threat name:
Win32.Spyware.Stealc
Create hunting rule
Status:
Suspicious
First seen:
2024-09-27 23:12:12 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u2jye7lsl67ely5ufaj4fapz4i4qv56lehqgu3malcjdsfyqj36q._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:stealc botnet:9c9aa5 botnet:save credential_access discovery evasion execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/240927-26tgksvbjj/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Command and Scripting Interpreter: PowerShell
Checks BIOS information in registry
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Blocklisted process makes network request
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Stealc
Malware Config
C2 Extraction:
http://185.215.113.37
http://185.215.113.43
Dropper Extraction:
http://185.215.113.103/test/do.ps1
http://185.215.113.103/test/no.ps1
http://185.215.113.103/test/ko.ps1
http://185.215.113.103/test/so.ps1
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/80151ca6-5ccb-4cbe-ba79-dd6d3d6f183c
Unpacked files
SH256 hash:
7a0798d8c561be8ebf6b0715fc941e3bbb03a32a196b6506e21360b76fffcc24
MD5 hash:
5ee8c85eed27924962edda53afeae286
SHA1 hash:
ffea743e8c0260ad55c051694e5b2af4942d19fe
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/fb6d92c8-263d-45be-9d1e-9946badb6ba6/
SH256 hash:
a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd
MD5 hash:
3fba342adc9a795c9c5f64b00ce01b74
SHA1 hash:
14378e009a4f05fe71df1600dd975d80201ec994
Link:
https://www.unpac.me/results/fb6d92c8-263d-45be-9d1e-9946badb6ba6/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a693827d725f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe a693827d725fbe45e3b42813c281f9e2390af7cb21e06a6d8058923917104efd

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3184622/
  
URLhaus
https://urlhaus.abuse.ch/url/3171133/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments