MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce7019c8e57824b533093e62cd1ba961cc2c7e8510cbaa0072f8a85977d53694. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce7019c8e57824b533093e62cd1ba961cc2c7e8510cbaa0072f8a85977d53694
SHA3-384 hash: 4fc0da72a65f6b67bf3d9cffc99f785f00af5312e933a1aa5fe0dc1dfa23880ef0897b68fb5b2520afd9266a088c7e63
SHA1 hash: a9a7a52379bce50b8713596ba3eddf9b90fd1ccc
MD5 hash: 007a9527bf23925597d5f273a2d1e256
humanhash: india-leopard-jig-lithium
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:2'146'304 bytes
First seen:2024-11-09 02:38:18 UTC
Last seen:2024-11-09 04:24:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:u8IhdpW/3KoJ+qw9WMD2mWd+XrXMBsa4d+YDU6gIUZ39nHB:l5/3Z+qwZqeasDbwQy31B
Threatray 17 similar samples on MalwareBazaar
TLSH T12FA5335C5FEAF9A4E7FD0D7FB04A59828DB25D81A34CF22D324A1931CC75E34980B469
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
31
# of downloads :
531
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-09 02:40:34 UTC
Tags:
stealer stealc qrcode
Link:
https://app.any.run/tasks/19b67d58-8e64-4973-9c51-411db1b726fc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.32151.3453.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672ecb616c614f3030a3b03b
Tags:
vmdetect spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/672ecb4870ec18f1ce40349a/reports/09ea551a-2145-4fab-8e48-cd9e56e303e4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/ce7019c8e57824b533093e62cd1ba961cc2c7e8510cbaa0072f8a85977d53694
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/705a8e76-e2b8-4dbb-91aa-3d1c9f29b3a1
Result
Threat name:
Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1552571
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected Powershell download and execute
Yara detected Stealc
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce7019c8e57824b533093e62cd1ba961cc2c7e8510cbaa0072f8a85977d53694
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce7019c8e57824b533093e62cd1ba961cc2c7e8510cbaa0072f8a85977d53694/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-09 02:39:05 UTC
File Type:
PE (Exe)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zzybtshfpaslkmyjhzrm2g5jmhgcy7ufcdf2uads7cufs56vg2ka._file
Verdict:
suspicious
Label(s):
stealc
Create hunting rule
Similar samples:
09a622aeeec375f783c6a88a7f9bb6f9a1cf90af6dcf2d57f18eda2ca5a88cca
MarsStealer
1f9a1e48fd8e9be5528b088a0a9cbefcdb523ee10e63fa14249130c139f1ccb9
MarsStealer
4857eea4cdb38f5a705744faa7a99a13f69cec9f07e2fbdf1fbfc25c32c731a7
MarsStealer
4899660112f2e8f637d3236a7081ce7b53887651ed896712acda6509f473e439
MarsStealer
7984d55eb2702a1d13486c38ebfff582138d73280895dac749b9ec6010f891f3
MarsStealer
81ccbbfcfd5e8991632a16d6b4d28b36ef74409773b3e5622cf58cf43638ce07
MarsStealer
81f6b25288157d9371ed054c3a91066e6eb5eacaeca7adea99eed801bbb64b35
MarsStealer
e3c2712e512393b442cda0b532d2f25c7bac0de7d5d8ba8d83ce545c827bebaf
MarsStealer
error
MarsStealer
fe3e25e07d0c6d9d56cb067571e4dbb7a994c90cf1d7689ee75d83b44e4a8e39
MarsStealer
+ 7 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:stealc botnet:tale discovery evasion stealer
Link:
https://tria.ge/reports/241109-c5akmsyjfp/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2c081b34-84f7-4a5b-b520-9df8909a7a67
Unpacked files
SH256 hash:
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
MD5 hash:
eda18948a989176f4eebb175ce806255
SHA1 hash:
ff22a3d5f5fb705137f233c36622c79eab995897
Link:
https://www.unpac.me/results/3f806870-a788-44d6-9464-7a7eae01dce5/
SH256 hash:
f4b96dcb0539cc8464e14e04812a266f0e2edf1283e05eb5aab5cbda26a07e18
MD5 hash:
8a56b93267b6c8c9241bfa6a52b40239
SHA1 hash:
951a91848b9f6e124c166a3b56786cc5e997459c
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
detect_Mars_Stealer
Create hunting rule
Link:
https://www.unpac.me/results/3f806870-a788-44d6-9464-7a7eae01dce5/
SH256 hash:
ce7019c8e57824b533093e62cd1ba961cc2c7e8510cbaa0072f8a85977d53694
MD5 hash:
007a9527bf23925597d5f273a2d1e256
SHA1 hash:
a9a7a52379bce50b8713596ba3eddf9b90fd1ccc
Link:
https://www.unpac.me/results/3f806870-a788-44d6-9464-7a7eae01dce5/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce7019c8e578/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ce7019c8e57824b533093e62cd1ba961cc2c7e8510cbaa0072f8a85977d53694

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe ce7019c8e57824b533093e62cd1ba961cc2c7e8510cbaa0072f8a85977d53694

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3279845/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments