MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb
SHA3-384 hash: be8237e2a3768b93138bab68600b9000ac9313bf40d04b40f0719d6cd171625c808b03516a7df99fce24d3111427ae6e
SHA1 hash: df1cd01e9a08177749609ca57d4af8cab9573510
MD5 hash: 00caeff2ff96754a0a6caaec18afc8d5
humanhash: robin-north-arkansas-solar
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:1'777'152 bytes
First seen:2024-09-07 16:40:01 UTC
Last seen:2024-09-07 18:19:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:c1GeWQbWNPeZK3By+OntUM2zG6tMSIYu4PF4IosnzjZqKYJBETLLqIYdpCFj0alX:GVaWZI2tzYUSIYu4N4IowUDSTLLr0MX
TLSH T102853396AFB4DE71E699483CFF47818B6F2DCB04D4C725DC00A6847204B6E256A9F43B
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://31.41.244.11/steam/random.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
391
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-07 21:10:26 UTC
Tags:
stealer stealc loader themida
Link:
https://app.any.run/tasks/095289ce-6bb3-4b58-8bce-6f4c0ff5e414

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.14733.9511.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66dc81e73236667691a1f671
Tags:
Infostealer Network Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/66dc81e36ee1a45cacf21e75/reports/c070ad6f-5b8a-4b8c-b596-f74d6d5155d8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb
Result
Verdict:
MALICIOUS
Result
Threat name:
Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1506283
Behaviour
Behavior Graph:
n/a
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb/
Threat name:
Win32.Trojan.Stealerc
Create hunting rule
Status:
Malicious
First seen:
2024-09-07 16:41:05 UTC
File Type:
PE (Exe)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wll7dzrh4ieajaalif7x2tmksez4lcywsvvdlkeilmarzpl7pg5q._file
Verdict:
unknown
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:rave discovery evasion stealer
Link:
https://tria.ge/reports/240907-t6h2vatclk/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Malware Config
C2 Extraction:
http://185.215.113.103
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/db597619-ccaa-46af-bc80-bbfe53a94f7d
Unpacked files
SH256 hash:
8d3a3fdbc9540341f0457bf83b0c50200c6bfafc1ffb3b37f7c5503e84b5804d
MD5 hash:
1c596fcf0cd2628421d4e9c968b9013a
SHA1 hash:
e3568efacecdfb136a65e97e826cbc18edf5753a
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
Link:
https://www.unpac.me/results/57db10f9-cced-4a60-8750-098b0e813d88/
SH256 hash:
b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb
MD5 hash:
00caeff2ff96754a0a6caaec18afc8d5
SHA1 hash:
df1cd01e9a08177749609ca57d4af8cab9573510
Link:
https://www.unpac.me/results/57db10f9-cced-4a60-8750-098b0e813d88/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2d7f1e627e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe b2d7f1e627e20804800b417f7d4d8a9133c58b16956a35a8885b011cbd7f79bb

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3114824/
  
URLhaus
https://urlhaus.abuse.ch/url/3120900/
  
URLhaus
https://urlhaus.abuse.ch/url/3120904/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments