MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MarsStealer


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6
SHA3-384 hash: 19bcfe676a3ebfb0b5caf229ee6c053a4eb9336b8cb9510619ddf54464187a5282984fe0ea8ce89e2fcd4e04a0d1499c
SHA1 hash: c7a450b65d7a567148d5f35ae575e102d6aba9bb
MD5 hash: 114d5e581b70ee44a460de6083f0ec55
humanhash: idaho-high-berlin-snake
File name:file
Download: download sample
Signature MarsStealer
Create hunting rule
File size:2'121'728 bytes
First seen:2024-11-04 12:22:48 UTC
Last seen:2024-11-04 14:34:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:JPXIjJ0a0aYnxFxDUO/QK9scMsUl/veduXzoVEyZ:JPXIFV0aYhD9Wsozo/
TLSH T1CAA533167C5A301ECB2C81B6BA9ADE376F707061C4698D69391B5E709EB37C7E383148
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe MarsStealer


Avatar
Bitsight
url: http://185.215.113.16/steam/random.exe

Intelligence

File Origin
# of uploads :
14
# of downloads :
2'924
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-04 12:29:22 UTC
Tags:
lumma stealer themida stealc loader amadey botnet
Link:
https://app.any.run/tasks/19830bb7-5d8a-41e0-abdf-c77b606e632f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.30654.7185.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6728bcbf8d23d90491335f71
Tags:
powershell vmdetect spam lien
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Connection attempt to an infection source
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/6728bcb0cc1a4bf6fda07a99/reports/47feaaf0-64c9-4782-955f-e674f7847c40/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4823a677-207f-4262-bb7e-680255c27f4b
Result
Threat name:
PureCrypter, LummaC, Amadey, LummaC Stea
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1548432
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates multiple autostart registry keys
Detected PureCrypter Trojan
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies windows update settings
Monitors registry run keys for changes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548432 Sample: file.exe Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 75 thumbystriw.store 2->75 77 presticitpo.store 2->77 79 4 other IPs or domains 2->79 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Antivirus detection for URL or domain 2->123 125 14 other signatures 2->125 10 file.exe 38 2->10         started        15 92e44edee0.exe 2->15         started        17 92e44edee0.exe 2->17         started        19 11 other processes 2->19 signatures3 process4 dnsIp5 83 185.215.113.206, 49713, 49818, 49902 WHOLESALECONNECTIONSNL Portugal 10->83 85 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->85 87 127.0.0.1 unknown unknown 10->87 63 C:\Users\user\DocumentsJDAFIEHIEG.exe, PE32 10->63 dropped 65 C:\Users\user\AppData\...\softokn3[1].dll, PE32 10->65 dropped 67 C:\Users\user\AppData\Local\...\random[1].exe, PE32 10->67 dropped 69 12 other files (1 malicious) 10->69 dropped 159 Detected unpacking (changes PE section rights) 10->159 161 Attempt to bypass Chrome Application-Bound Encryption 10->161 163 Drops PE files to the document folder of the user 10->163 183 6 other signatures 10->183 21 cmd.exe 10->21         started        23 msedge.exe 2 10 10->23         started        26 chrome.exe 10->26         started        165 Query firmware table information (likely to detect VMs) 15->165 167 Tries to harvest and steal ftp login credentials 15->167 169 Tries to harvest and steal browser information (history, passwords, etc) 15->169 171 Found many strings related to Crypto-Wallets (likely being stolen) 17->171 173 Tries to steal Crypto Currency Wallets 17->173 175 Hides threads from debuggers 17->175 89 192.168.2.4 unknown unknown 19->89 91 192.168.2.8 unknown unknown 19->91 177 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 19->177 179 Maps a DLL or memory area into another process 19->179 181 Tries to detect sandboxes / dynamic malware analysis system (registry check) 19->181 29 msedge.exe 19->29         started        32 msedge.exe 19->32         started        34 identity_helper.exe 19->34         started        36 5 other processes 19->36 file6 signatures7 process8 dnsIp9 38 DocumentsJDAFIEHIEG.exe 21->38         started        42 conhost.exe 21->42         started        149 Monitors registry run keys for changes 23->149 44 msedge.exe 23->44         started        93 192.168.2.6, 443, 49708, 49709 unknown unknown 26->93 95 239.255.255.250 unknown Reserved 26->95 46 chrome.exe 26->46         started        97 13.107.246.57, 443, 49931, 49932 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->97 99 20.125.209.212, 443, 49952, 49986 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->99 103 21 other IPs or domains 29->103 71 C:\Users\user\AppData\Local\...\Cookies, SQLite 29->71 dropped 101 23.198.7.175 AKAMAI-ASN1EU United States 32->101 file10 signatures11 process12 dnsIp13 61 C:\Users\user\AppData\Local\...\skotes.exe, PE32 38->61 dropped 151 Detected unpacking (changes PE section rights) 38->151 153 Tries to evade debugger and weak emulator (self modifying code) 38->153 155 Tries to detect virtualization through RDTSC time measurements 38->155 157 3 other signatures 38->157 49 skotes.exe 38->49         started        105 plus.l.google.com 142.250.74.206, 443, 49779 GOOGLEUS United States 46->105 107 www.google.com 172.217.18.100, 443, 49748, 49749 GOOGLEUS United States 46->107 109 2 other IPs or domains 46->109 file14 signatures15 process16 dnsIp17 73 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 49->73 111 Detected unpacking (changes PE section rights) 49->111 113 Tries to detect sandboxes and other dynamic analysis tools (window names) 49->113 115 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 49->115 117 5 other signatures 49->117 53 92e44edee0.exe 49->53         started        57 c3bf0257c5.exe 49->57         started        59 3a1442079c.exe 49->59         started        signatures18 process19 dnsIp20 81 founpiuer.store 172.67.133.135 CLOUDFLARENETUS United States 53->81 127 Detected unpacking (changes PE section rights) 53->127 129 Query firmware table information (likely to detect VMs) 53->129 131 Tries to evade debugger and weak emulator (self modifying code) 53->131 147 3 other signatures 53->147 133 Modifies windows update settings 57->133 135 Disables Windows Defender Tamper protection 57->135 137 Disable Windows Defender notifications (registry) 57->137 139 Disable Windows Defender real time protection (registry) 57->139 141 Hides threads from debuggers 59->141 143 Tries to detect sandboxes / dynamic malware analysis system (registry check) 59->143 145 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 59->145 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-11-04 12:23:23 UTC
File Type:
PE (Exe)
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4kgkefpyi7jys4t3s6phcrhxn25fyfsfqwpcedonhxsaf36xtla._file
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:buer family:lumma family:stealc botnet:9c9aa5 botnet:tale credential_access discovery evasion loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/241104-pkqscaslgp/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Buer
Buer family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender Real-time Protection settings
Stealc
Stealc family
Malware Config
C2 Extraction:
http://185.215.113.206
http://185.215.113.43
https://founpiuer.store/api
https://navygenerayk.store/api
Verdict:
Malicious
Tags:
stealc
YARA:
n/a
Link:
https://app.threat.zone/submission/cdaadfcb-7138-4c53-a5b4-b0fac67d2fe0
Unpacked files
SH256 hash:
81a4f37c5495800b7cc46aea6535d9180dadb5c151db6f1fd1968d1cd8c1eeb4
MD5 hash:
eda18948a989176f4eebb175ce806255
SHA1 hash:
ff22a3d5f5fb705137f233c36622c79eab995897
Link:
https://www.unpac.me/results/b996c7af-541c-44a6-b1ca-2486038d846d/
SH256 hash:
fcc120fc849a538da8a38555a99a5777bb2d2edddaa283ade94486622b528783
MD5 hash:
4c2afbb95bcb62a39ce8584f1299d599
SHA1 hash:
964a58b81e594654b74d102f9b14d6995efe58cb
Detections:
stealc
Create hunting rule
win_stealc_w0
Create hunting rule
win_stealc_a0
Create hunting rule
detect_Mars_Stealer
Create hunting rule
Link:
https://www.unpac.me/results/b996c7af-541c-44a6-b1ca-2486038d846d/
SH256 hash:
cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6
MD5 hash:
114d5e581b70ee44a460de6083f0ec55
SHA1 hash:
c7a450b65d7a567148d5f35ae575e102d6aba9bb
Link:
https://www.unpac.me/results/b996c7af-541c-44a6-b1ca-2486038d846d/
Malware family:
Stealc
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf146510afc2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MarsStealer

Executable exe cf146510afc23e9c4b93dcbcf38a27bb75d2e0b22c2cf1106e69ef20177ebcd6

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3079150/
  
URLhaus
https://urlhaus.abuse.ch/url/3273391/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments