MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b61dbd2a617235d6b4178d90d126dc57e40e74751e2f39fc8a5d8acf3e53f1c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MarsStealer

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments 1

SHA256 hash:	b61dbd2a617235d6b4178d90d126dc57e40e74751e2f39fc8a5d8acf3e53f1c1
SHA3-384 hash:	3a0a62b43af9842ababba52ec18c343bd86dbf043c2a72912668eeae36b3b8be73dacd2e394bfcb66145fdbef19e3298
SHA1 hash:	9deb792e17d3b178617f01ac7431d19afcdef00a
MD5 hash:	874ac93d4b915cf861dcb3efde23b553
humanhash:	social-seven-carbon-south
File name:	874ac93d4b915cf861dcb3efde23b553
Download:	download sample
Signature	MarsStealer Create hunting rule
File size:	273'920 bytes
First seen:	2023-09-06 05:56:40 UTC
Last seen:	2023-09-06 07:38:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	daa1a08dee11da8e79c5ea06916ce90f (1 x MarsStealer)
ssdeep	3072:D9HRwHQ3Y90N3R6kwruqa9tvUKGBpvWrd56pOnzOVJbDAoySqFJtvgYn8Rkb:tRwHPW30ruqabvU5PeCcncJbDAWwoR
Threatray	216 similar samples on MalwareBazaar
TLSH	T10E44CF22B7D1C072E16356344EB1C3B15E7BB8B19B749ADB6BD41A3E1E306D08E7434A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0060204418a04000 (1 x MarsStealer)
Reporter	zbetcheckin
Tags:	32 exe MarsStealer

Intelligence

File Origin

# of uploads :

# of downloads :

272

Origin country :

Vendor Threat Intelligence

Malware family:

oski

ID:

File name:

874ac93d4b915cf861dcb3efde23b553

Verdict:

Malicious activity

Analysis date:

2023-09-06 05:59:15 UTC

Tags:

stealc oski stealer

Link:

https://app.any.run/tasks/704f5203-8d6d-4b0d-b9cb-824606f7e5d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/446454/

Detection(s):

SecuriteInfo.com.Win32.RansomX-gen.8532.26520.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin packed shell32

Link:

https://www.filescan.io/uploads/64f814b02a262962b794afcc/reports/72f9ac33-c114-4160-8fa2-86684571f3ee/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b61dbd2a617235d6b4178d90d126dc57e40e74751e2f39fc8a5d8acf3e53f1c1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Oski Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/675977bb-dd9a-41c8-9c71-6519bdb087ba

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1304043

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking locale)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sample uses string decryption to hide its real strings

Snort IDS alert for network traffic

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b61dbd2a617235d6b4178d90d126dc57e40e74751e2f39fc8a5d8acf3e53f1c1/

Threat name:

Win32.Trojan.Privateloader

Status:

Malicious

First seen:

2023-09-06 05:57:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wyo32ktboi25nnaxrwincjw4k7sa45dvdyxtt7eklwfm6pst6haq._file

Verdict:

malicious

MarsStealer

1b0da8603f31103a5d90152c983ddd534e128abed1901fe5debb660c0bb6ecce

MarsStealer

480afef1f95b2130b1dfceafb7f5639d962c9957e003863dc30f6f7ed40ee79d

MarsStealer

4d95c08bbac739d7c01fca4d179abe72306aaa06959fce76ad18754b61ba0846

MarsStealer

4fa066ec21247d30bc4cafba293d36e2a02e5ffc6dd491591dd52fe38e87ec50

MarsStealer

5401590c0dd63cae68769ddba894fd5fc7f5b7bd97acb325f2d9c6c43798a27c

MarsStealer

715821d03d18bb8dab9435aa68a6507532630ed3252dcbf76316a2e8ea228be8

MarsStealer

8320b1984cd007f2e819d2572382e0d231feae3b91ec2d30163665aa1295cdc5

MarsStealer

c73449a6acb51f440dd1f4228ac5e537eb3653b903fab608b9c4fc427b893c41

MarsStealer

efe76e209a9575bc73aa11a6c35be706087fdc696645821c5959a4f445540e3d

MarsStealer

+ 206 additional samples on MalwareBazaar

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:4109976902326622912460160242 discovery stealer

Link:

https://tria.ge/reports/230906-gnk29sde71/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Program crash

Checks installed software on the system

Stealc

Malware Config

C2 Extraction:

http://michealjohnson.top

Unpacked files

SH256 hash:

38a5c69d1ee7c40cdc52172548936ec691f56d84bb413121375d0efa812d7c91

MD5 hash:

264d2a0135d0a951b22c3602b5bb253b

SHA1 hash:

c22c31873b2c474443b6dbf488cc28e2b434c093

Link:

https://www.unpac.me/results/ed15b57a-82e9-441c-b2e1-533cf809bd10/

SH256 hash:

b61dbd2a617235d6b4178d90d126dc57e40e74751e2f39fc8a5d8acf3e53f1c1

MD5 hash:

874ac93d4b915cf861dcb3efde23b553

SHA1 hash:

9deb792e17d3b178617f01ac7431d19afcdef00a

Link:

https://www.unpac.me/results/ed15b57a-82e9-441c-b2e1-533cf809bd10/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b61dbd2a6172/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b61dbd2a617235d6b4178d90d126dc57e40e74751e2f39fc8a5d8acf3e53f1c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__ConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	detect_Mars_Stealer Create hunting rule
Author:	@malgamy12
Description:	detect_Mars_Stealer

Rule name:	infostealer_win_stealc_standalone Create hunting rule
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_stealc_w0 Create hunting rule
Author:	crep1x
Description:	Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/