MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

MarsStealer

Vendor detections: 18

Intelligence 18 IOCs YARA 7 File information Comments

SHA256 hash:	ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15
SHA3-384 hash:	aba0af82a10ae86b0d37abc084b172b94e644f20073087c6a7344eca5bf30fc3471d47caaf122bfd8fa9960b6964ef51
SHA1 hash:	97eca2aacab06e6784e7d2a96cd566dc396b8213
MD5 hash:	e927384b0ec29e82d2b4f422ff09e53c
humanhash:	virginia-skylark-stream-idaho
File name:	file
Download:	download sample
Signature	MarsStealer Create hunting rule
File size:	335'224 bytes
First seen:	2024-10-03 08:14:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:XzsQketocK9iMRRPLLMeyXxiHwj4OXuB+RqqJ0t7yA7i3ZOkbNNmchEf7uitWesV:Ds6tpK9ZzLBOIyYqnA4UkvN2LRsquMe
TLSH	T1B664234FCDE88D9EDE9BAD3AEDD198213AF8D0EB88C78045614ACC261B5771637D042D
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	Bitsight
Tags:	exe MarsStealer

Bitsight

url: http://playd.healthnlife.pk/ldms/c4f8a2db7f87.exe

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2024-10-03 08:17:13 UTC

Tags:

stealer stealc

Link:

https://app.any.run/tasks/291c143a-5156-4204-be44-1bc01fe37ae7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66fe94050fdf88870979ed01

Tags:

Exploit Micro Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Creating a file

Сreating synchronization primitives

Sending an HTTP GET request to an infection source

Forced shutdown of a system process

Connection attempt to an infection source

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed stealc

Link:

https://www.filescan.io/uploads/66fe5289168559661d51fdfb/reports/78860d0e-f5bd-4a8f-9252-81faa68c3971/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Stealc

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a7dd9efd-9431-47eb-b592-05b198edaef6

Result

Threat name:

Stealc

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1524833

Signature

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Writes to foreign memory regions

Yara detected Powershell download and execute

Yara detected Stealc

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2024-10-03 08:15:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

13 of 38 (34.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zjbmewk7nwffwjju7ohpkpe27xirr7myhwrl6wpt44knveafhmkq._file

Verdict:

malicious

Label(s):

stealc

Similar samples:

error

MarsStealer

Result

Malware family:

stealc

Score:

10/10

Tags:

family:stealc botnet:default5_doz discovery stealer

Link:

https://tria.ge/reports/241003-j5k5pstcln/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Stealc

Malware Config

C2 Extraction:

http://62.204.41.159

Verdict:

Malicious

Tags:

stealc

YARA:

n/a

Link:

https://app.threat.zone/submission/4f0faa7e-5122-4f00-b678-94f16fdc274d

Unpacked files

SH256 hash:

2e145192e413b1db4ebb7b726d8c9a4f23404229425a88455a095dc8b47edd2b

MD5 hash:

0480eba457a76f0ffbcc53958dfe88e9

SHA1 hash:

95ca50985d4a8162069185757001e9fd3e402964

Detections:

stealc

Link:

https://www.unpac.me/results/d9cd06cf-cdae-458a-8ed2-1afcb22c17f1/

Parent samples :

141b94942464c19bbe918855f4268bd21c3e9014c98a55ce52ed71187eed1861
a84e56d23959591054296a99427ff69cc7dbda0555d61213438ee5f845381bda
ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15
9a9a00de899875e4cc8ea6bac86f8950ff701c07349baef3d9a1fdf158dc6386
d498d07e1ddb734daef7968a218620d9251d480b0f10f1838365bfbd3387aba6
2730123ca927015ac3021aedfc4bcb1086252ffb5b91a9dd98db221fbfc6b217
0db238ecc6f027d553c26085977840865707bd24d2656656381d84c54e456206
da88bc40c7826a659ebd6da325bd04c9f52d4ceeef6916aafeef471c685a96b9
b986a005dc342782efd295081e8facc359647bf5f37a772294af3d65be47b7a6
7670b1054c425a8498f41ac29a964438dfc87b7f28245884637727444b5237ce
1f11629cc1cf4d00dbfbe5f11f5df7b5588dccac7e7cf85dc5e696703179ad28
97589cdb752317b0a8001b6faf0fceb68acd34c561b9a02b44b77cd3592e638c

SH256 hash:

29e7e1c1e1a7e5f26f6961d8036cdd04ee4557dec0a7dcadcd8e7651f5e53f43

MD5 hash:

2ec23e83e2f63ab27c25741b1f4d7f49

SHA1 hash:

bb231b274bd66393fa830a44e6d4447d4399eeb9

Link:

https://www.unpac.me/results/d9cd06cf-cdae-458a-8ed2-1afcb22c17f1/

SH256 hash:

ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15

MD5 hash:

e927384b0ec29e82d2b4f422ff09e53c

SHA1 hash:

97eca2aacab06e6784e7d2a96cd566dc396b8213

Link:

https://www.unpac.me/results/d9cd06cf-cdae-458a-8ed2-1afcb22c17f1/

Malware family:

Stealc

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ca42c2595f6d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Mars Stealer

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

exe ca42c2595f6d8a5b2534fb8ef53c9afdd118fd983da2bf59f3e714da90053b15

(this sample)

Dropped by

Privateloader

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/3206613/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample