MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
SHA3-384 hash: e46d0b46aa591591b85dcfe1b61ebb28a78295433339f4f74c6458dc2e39ae3cbbf9e733bdfc13734c06c72e0f5be843
SHA1 hash: a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d
MD5 hash: 022cc85ed0f56a3f3e8aec4ae3b80a71
humanhash: maryland-robert-august-king
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:344'992 bytes
First seen:2024-10-01 20:24:01 UTC
Last seen:2024-10-02 14:17:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:X5EAq+eU9BhaikesEDBVqaDf5kLslwEIF4TN4ha/qks1l9QjjmQ+Nb/Q5AQEO:J5vlBQB/EDBkaDRkyZIF4TN4o/29QjK0
Threatray 10 similar samples on MalwareBazaar
TLSH T17074226B4EA51C31DE9629BE31B0D1692BB8D2C244E8CBF33179D19DC981F8E13CE564
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://147.45.44.104/prog/66fbfcc301a31_swws.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
381
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
130.7z
Verdict:
Malicious activity
Analysis date:
2024-10-01 20:06:15 UTC
Tags:
evasion autoit-loader privateloader loader stealer stealc amadey botnet opendir metastealer netreactor miner smokeloader themida risepro vidar confuser socks5systemz proxy g0njxa
Link:
https://app.any.run/tasks/f7dfa8a5-d70b-4124-af71-4fb65919e9db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.PasswordStealer.MSILHeracles.8.6798.279.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fc5a6458399e4484e7d9dd
Tags:
Micro Msil Core
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Forced shutdown of a system process
Connection attempt to an infection source
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed stealc
Link:
https://www.filescan.io/uploads/66fc5a6553fe6ca94b70f338/reports/76ed2292-0ad9-443b-8633-aab1ce4fdbf6/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d5c6e66f-8ee2-4438-a08d-e1001eb1014b
Result
Threat name:
LummaC, Stealc, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1523661
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523661 Sample: file.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 122 treatynreit.site 2->122 124 steamcommunity.com 2->124 126 9 other IPs or domains 2->126 160 Suricata IDS alerts for network traffic 2->160 162 Found malware configuration 2->162 164 Antivirus detection for URL or domain 2->164 166 15 other signatures 2->166 15 file.exe 2 2->15         started        signatures3 process4 file5 120 C:\Users\user\AppData\Local\...\file.exe.log, CSV 15->120 dropped 142 Contains functionality to inject code into remote processes 15->142 144 Writes to foreign memory regions 15->144 146 Allocates memory in foreign processes 15->146 148 Injects a PE file into a foreign processes 15->148 19 RegAsm.exe 39 15->19         started        24 RegAsm.exe 15->24         started        26 conhost.exe 15->26         started        signatures6 process7 dnsIp8 128 46.8.231.109, 49713, 49765, 80 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 19->128 130 147.45.44.104, 49715, 49755, 80 FREE-NET-ASFREEnetEU Russian Federation 19->130 96 C:\Users\user\AppData\...\softokn3[1].dll, PE32 19->96 dropped 98 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 19->98 dropped 100 C:\Users\user\AppData\...\mozglue[1].dll, PE32 19->100 dropped 102 13 other files (9 malicious) 19->102 dropped 176 Tries to steal Mail credentials (via file / registry access) 19->176 178 Tries to steal Crypto Currency Wallets 19->178 180 Tries to harvest and steal Bitcoin Wallet information 19->180 28 cmd.exe 1 19->28         started        30 cmd.exe 1 19->30         started        182 Found evasive API chain (may stop execution after checking locale) 24->182 184 Searches for specific processes (likely to inject) 24->184 file9 signatures10 process11 process12 32 userDGCFHIDAKE.exe 2 28->32         started        35 conhost.exe 28->35         started        37 userCGIDHIIJKE.exe 2 30->37         started        39 conhost.exe 30->39         started        signatures13 150 Multi AV Scanner detection for dropped file 32->150 152 Writes to foreign memory regions 32->152 154 Allocates memory in foreign processes 32->154 41 RegAsm.exe 1 174 32->41         started        46 conhost.exe 32->46         started        156 Injects a PE file into a foreign processes 37->156 158 LummaC encrypted strings found 37->158 48 RegAsm.exe 37->48         started        50 conhost.exe 37->50         started        process14 dnsIp15 132 cowod.hopto.org 45.132.206.251, 49768, 80 LIFELINK-ASRU Russian Federation 41->132 134 49.12.197.9, 443, 49731, 49732 HETZNER-ASDE Germany 41->134 104 C:\Users\...\66fbfccd837ac_vadggdsa[1].exe, PE32 41->104 dropped 106 C:\Users\user\...\66fbfcc9963ca_ldfsna[1].exe, PE32 41->106 dropped 108 C:\Users\user\...\66fbfcc301a31_swws[1].exe, PE32 41->108 dropped 110 3 other malicious files 41->110 dropped 194 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->194 196 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->196 198 Tries to steal Crypto Currency Wallets 41->198 200 Tries to harvest and steal Bitcoin Wallet information 41->200 52 CGIDHIIJKE.exe 41->52         started        55 ECBGHCGCBK.exe 41->55         started        57 GIEBFHCAKF.exe 41->57         started        59 cmd.exe 41->59         started        136 gravvitywio.store 104.21.16.12, 443, 49729 CLOUDFLARENETUS United States 48->136 138 mysterisop.site 104.21.21.3, 443, 49725, 49767 CLOUDFLARENETUS United States 48->138 140 7 other IPs or domains 48->140 file16 signatures17 process18 signatures19 168 Multi AV Scanner detection for dropped file 52->168 170 Writes to foreign memory regions 52->170 172 Allocates memory in foreign processes 52->172 61 RegAsm.exe 52->61         started        65 conhost.exe 52->65         started        174 Injects a PE file into a foreign processes 55->174 67 conhost.exe 55->67         started        69 RegAsm.exe 55->69         started        71 RegAsm.exe 55->71         started        77 2 other processes 55->77 73 conhost.exe 57->73         started        75 RegAsm.exe 57->75         started        79 2 other processes 59->79 process20 file21 112 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 61->112 dropped 114 C:\Users\user\AppData\...\mozglue[1].dll, PE32 61->114 dropped 116 C:\Users\user\AppData\...\freebl3[1].dll, PE32 61->116 dropped 118 3 other files (2 malicious) 61->118 dropped 202 Tries to steal Mail credentials (via file / registry access) 61->202 204 Tries to harvest and steal ftp login credentials 61->204 206 Tries to harvest and steal browser information (history, passwords, etc) 61->206 208 2 other signatures 61->208 81 cmd.exe 61->81         started        83 cmd.exe 61->83         started        signatures22 process23 process24 85 userGCBGCGHDGI.exe 81->85         started        88 conhost.exe 81->88         started        90 userAFBKKFBAEG.exe 83->90         started        92 conhost.exe 83->92         started        signatures25 186 Multi AV Scanner detection for dropped file 85->186 188 Writes to foreign memory regions 85->188 190 Allocates memory in foreign processes 85->190 94 conhost.exe 85->94         started        192 Injects a PE file into a foreign processes 90->192 process26
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3/
Threat name:
ByteCode-MSIL.Trojan.RedlineStealer
Create hunting rule
Status:
Malicious
First seen:
2024-10-01 16:55:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmulwy7ngsr3j6l2bitl3kfhu7da7fqqcddzkad63rjfo24j4tjq._file
Verdict:
malicious
Label(s):
stealc
Create hunting rule
Similar samples:
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff
MarsStealer
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957
MarsStealer
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
MarsStealer
c94f21254373c228e200a85422f611768978e785385d2802883cb1b75a0b31b0
MarsStealer
dd2e52949ee517d8a0079b3847a9911abef05e2d6dfcc1bbae49ad5495de9a01
MarsStealer
error
MarsStealer
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:lumma family:stealc family:vidar botnet:8b4d47586874b08947203f03e4db3962 botnet:default credential_access discovery spyware stealer
Link:
https://tria.ge/reports/241001-y6plvasfjg/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Downloads MZ/PE file
Detect Vidar Stealer
Lumma Stealer, LummaC
Stealc
Vidar
Malware Config
C2 Extraction:
http://46.8.231.109
https://steamcommunity.com/profiles/76561199780418869
https://t.me/ae5ed
https://questionsmw.store/api
https://soldiefieop.site/api
https://abnomalrkmu.site/api
https://treatynreit.site/api
https://snarlypagowo.site/api
https://mysterisop.site/api
https://absorptioniw.site/api
https://gravvitywio.store/api
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/ea7cf176-d303-4895-8468-40146bae8d16
Unpacked files
SH256 hash:
06f3daaedaefb6f74a31b3cfaec23e4290c50609c8cdacb33bd363e5fa0834ef
MD5 hash:
400efa3a374f435132c5eb4a7f809a95
SHA1 hash:
f72efa14ace9db4b6b7f77b7c8bac34a112bf521
Detections:
stealc
Create hunting rule
Link:
https://www.unpac.me/results/744e5315-267f-43b3-8127-ee58da6c4642/
Parent samples :
2b8bcd9d7d072feb114e0436dc10aa80fda52cdd46a4948ea1ae984f74898375
2280a0c18708cb5fd0e093e2f42350e3afb8f3ca31fd3279fc797a6c535532ef
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
c5a07fdd3ce7bee393285bef38dd7bc96386c33cba401d06187d0a10d479de6c
fb4298dbc61eb3ace5aa751f29a4b53bb20959fb39bde91095e1d18103149e18
2d63ff4e2c1bde1601315d12ea75a52c90b7e203f8a8e6140ab1da2e0d8a9554
1dc17bd6367dafd965adb0a12819f7efd6d5bc61585feceee69f6a09e4d1fc32
98a63017e0d5084ced9459e819a9586691062b1bbe5f2622069df90112201329
53f74c71c625da6b7ff77c3a61aad3be0ff4a7199ee447c57c0d12dbbfaccf32
20175d2f268bff73e352a5a5b85d987b8a5958311b1032251f7341def5396f4b
48fc88b91467d7f8781721313f69f8299e128ca190a95ff790d6ac23bd9a98d5
7ffc2e99e06f93704ab32bd39627ee66d1f114b89c45463eeb198af72de0613d
33ec381cf58df623bc6b3879a5aea2914034d42b885a2c61aaf10f6c2ab8cae4
3bc752d2803f660c3216bcfa6fcd3cfb03b21b8753d4bec32f4e679af854028a
9714d301c8b96c7263dea4a36ddbdf74896d31f648d2836fa2d2642dccca17e8
33105a1685207694a3de20a03c82524fe8cd7f0f19fa85ba5d88d6b4d8457660
08fc29d1bcd3c1c9145a6cf9087ce892217c2d0312410d916dd8aa748a0479c6
33b0a6c0a93c8739f0a9de40a727c7d5dba9c9a0e6ffe65c7d3173082be2a73f
22595bd9120d6fad0bd0e8caf9700fe6ab5f2805c8903681baddb1bab83819c5
fde872c02c049b7b02d8dfa2d694fba47b8d300001c6cf0ec83f11634a7256dd
0cfea23100355dbb358f9355abe9acc2c93042e29027c9f547fab0c0084d6d63
66fbc128c741b0d895e723e7ef1bc7f2a953beda60cbebf55b8f8139926d4849
ddf3c590d0cd0bf3f871c5baa3a84e14428cecf3a929fd2c40d483e3252d45ff
54c87130b16079039f3b1e1f406a794669ef4f66f3d26ebde713491e03a1ee08
7ad4282eca5f0d0ed47402d9c012b95623f114353cfd5f09aaf0aab343f8a8d7
441fa698045cf117642df2b3cb38a7729e3c96f8d807dcb60a89ee355dbfaffd
SH256 hash:
29e7e1c1e1a7e5f26f6961d8036cdd04ee4557dec0a7dcadcd8e7651f5e53f43
MD5 hash:
2ec23e83e2f63ab27c25741b1f4d7f49
SHA1 hash:
bb231b274bd66393fa830a44e6d4447d4399eeb9
Link:
https://www.unpac.me/results/744e5315-267f-43b3-8127-ee58da6c4642/
SH256 hash:
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3
MD5 hash:
022cc85ed0f56a3f3e8aec4ae3b80a71
SHA1 hash:
a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d
Link:
https://www.unpac.me/results/744e5315-267f-43b3-8127-ee58da6c4642/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb28bb63ed34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3203887/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments