MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4c94536276a3673677a96b514bdf6745a26e0444aa44893f5c590ca58d68097. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4c94536276a3673677a96b514bdf6745a26e0444aa44893f5c590ca58d68097
SHA3-384 hash: ebe26cb0c26114114f37dd5c40f24e63b4de97bb0a503b5183939ca6a7264ddc966c3fa76e39f62d998905aaf2a12f5c
SHA1 hash: 4f425cfecbf71ab0a345375dac6a37fc2ee6fb15
MD5 hash: 378b56c2aad90af650c7b026517e1b84
humanhash: lamp-beryllium-victor-whiskey
File name:378b56c2aad90af650c7b026517e1b84
Download: download sample
Signature MarsStealer
Create hunting rule
File size:2'243'072 bytes
First seen:2022-10-13 07:01:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:2sEvv6E3qyWZnmXCv018I7TegoQAVoy1MeM0KVnWZQzjFeM6DJOjB9sTTHyoU692:zSV7TXoQAVoy1dKVnYQb6VONJE2
Threatray 6'978 similar samples on MalwareBazaar
TLSH T12AA5F8F0A1BB8092F6479DB1293CF9E105B131A3ADDE0D39072A6A04CFEFD553549A4E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e896f04decf0d4e8 (1 x MarsStealer, 1 x XWorm, 1 x zgRAT)
Reporter zbetcheckin
Tags:32 exe MarsStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319713/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6347b7ee316b332dfca8f4d9/reports/027432e7-ae2d-4af8-a32d-68e438be7ccb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/67668181-1a67-4c6f-b668-31d8f456da27
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1089542
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Encrypted powershell cmdline option found
Found C&C like URL pattern
Found evasive API chain (may stop execution after checking computer name)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 722141 Sample: bo2rucnt4L.exe Startdate: 13/10/2022 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 9 other signatures 2->45 8 bo2rucnt4L.exe 4 2->8         started        process3 file4 29 C:\Users\user\AppData\...\bo2rucnt4L.exe.log, ASCII 8->29 dropped 47 Found evasive API chain (may stop execution after checking mutex) 8->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->49 51 Encrypted powershell cmdline option found 8->51 53 3 other signatures 8->53 12 bo2rucnt4L.exe 93 8->12         started        17 powershell.exe 14 8->17         started        19 bo2rucnt4L.exe 8->19         started        signatures5 process6 dnsIp7 37 crypto-land.net 172.67.211.253, 49706, 80 CLOUDFLARENETUS United States 12->37 31 C:\Users\user\Desktop\OVWVVIANZH.pdf, ASCII 12->31 dropped 33 C:\Users\user\Desktop\IZMFBFKMEB.docx, ASCII 12->33 dropped 35 C:\Users\user\Desktop\BWDRWEEARI.docx, ASCII 12->35 dropped 55 Self deletion via cmd or bat file 12->55 57 Tries to harvest and steal browser information (history, passwords, etc) 12->57 59 Tries to steal Crypto Currency Wallets 12->59 61 Modifies existing user documents (likely ransomware behavior) 12->61 21 cmd.exe 1 12->21         started        23 conhost.exe 17->23         started        file8 signatures9 process10 process11 25 conhost.exe 21->25         started        27 timeout.exe 1 21->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4c94536276a3673677a96b514bdf6745a26e0444aa44893f5c590ca58d68097/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-10-13 03:39:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
22 of 42 (52.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yteuknrhni3hgz32s22rjppworncnycejksere7vywimuwgwqclq._file
Verdict:
malicious
Similar samples:
0a869d139f509a45998437cb390ae80c9d5581bf615666e0535b0dd157f9e0aa
MarsStealer
1c4c51643818307480c2436301dab98c4794812abb3e94df7b133450411b66e1
MarsStealer
279b50a0ca696efea461a18afb4b4e0bba3dafb305644d0e8d9fc411d3d6891c
MarsStealer
3f3f17de70e897ba762f6a6073b6716a4fc01e04ea0038a4f01ce7842c7d8a74
MarsStealer
4bcabec27b62127148e5a986ab1d36d6485e686f03ab012d3631be04b82c29f5
MarsStealer
62d3d9a1ea3239188f9735ab3959c8f336e0682cc868a446a53a876a51d44177
MarsStealer
74d97d31a52c0d59f9094c0eeb538863f58156b6b033aec77b33202d4ce6a967
MarsStealer
8de88d3403aea70bfafb52711ae187b8abaadb60d87be9afbc5bdbe33bb51cdd
MarsStealer
9579f141b148827a8307419bfe076a7e9ab2f21665b8dd8467ca480be1365d49
MarsStealer
9e70f94c2bee83c63e40004e38b390edf044b64e5ab5554f3aad9dd187e23d6d
MarsStealer
+ 6'968 additional samples on MalwareBazaar
Result
Malware family:
marsstealer
Create hunting rule
Score:
  10/10
Tags:
family:marsstealer botnet:default discovery spyware stealer
Link:
https://tria.ge/reports/221013-htsjzabcc4/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Mars Stealer
Malware Config
C2 Extraction:
crypto-land.net/steak/gate.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2a9956c8-1d11-4a82-8e76-f4723340c636
Unpacked files
SH256 hash:
29260b7222e9771dbbb905c137cec964261dd3854be3d764cbd557b26b6c9ee9
MD5 hash:
c65805c1fc4871077b01f738234346d7
SHA1 hash:
fc3784cbff72ed12fb99afff9d71a022bf847bb4
Link:
https://www.unpac.me/results/c305a6dd-87f6-46a4-8e5c-18057242e697/
SH256 hash:
600f470752896dd17bad2b4fb277ec23af2735440829666e666a8b34b201707a
MD5 hash:
526ecb66f56382064da226e1ee725b78
SHA1 hash:
ca130a623d10e2a7f8add75b7e3b4c7611e61b64
Link:
https://www.unpac.me/results/c305a6dd-87f6-46a4-8e5c-18057242e697/
SH256 hash:
c4c94536276a3673677a96b514bdf6745a26e0444aa44893f5c590ca58d68097
MD5 hash:
378b56c2aad90af650c7b026517e1b84
SHA1 hash:
4f425cfecbf71ab0a345375dac6a37fc2ee6fb15
Link:
https://www.unpac.me/results/c305a6dd-87f6-46a4-8e5c-18057242e697/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c4c94536276a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4c94536276a3673677a96b514bdf6745a26e0444aa44893f5c590ca58d68097

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe c4c94536276a3673677a96b514bdf6745a26e0444aa44893f5c590ca58d68097

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2366157/
Cape
Cape
https://www.capesandbox.com/analysis/319713/

Comments


Avatar
zbet commented on 2022-10-13 07:01:46 UTC

url : hxxps://bitcoinpass.ru/slf/windll64.exe