ioc[.]one - OSINT Cyber Threat Intelligence Database

eSentire Threat Intelligence Malware Analysis: Mars Stealer

Tags

country:	Azerbaijan Belarus Kazakhstan Uzbekistan Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Models Credentials - T1589.001 Exploits - T1587.004 Exploits - T1588.005 Hooking - T1617 Keychain - T1634.001 Keychain - T1555.001 Keychain - T1579 Malware - T1587.001 Malware - T1588.001 Multi-Factor Authentication - T1556.006 Password Managers - T1555.005 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Software - T1592.002 Brute Force - T1110 Hooking - T1179 Keychain - T1142 Hooking

Show in Graph

Common Information

Type	Value
UUID	3e0f9244-dc45-45d5-a218-43f21167179f
Fingerprint	25a8b9d4bebfdec0
Analysis status	DONE
Considered CTI value	2
Text language
Published	May 18, 2022, midnight
Added to db	Sept. 26, 2022, 9:34 a.m.
Last updated	Nov. 17, 2024, 6:53 p.m.
Headline	eSentire Threat Intelligence Malware Analysis: Mars Stealer
Title	eSentire Threat Intelligence Malware Analysis: Mars Stealer
Detected Hints/Tags/Attributes	122/3/57

Source URLs

	Redirection	Url
Details	Source	https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer

URL Provider

Details	Provider	Source level domain
Details	esentire.com	www.esentire.com

Attributes

Details	Type	#Events	Value
Details	Domain	2	googleglstatupdt.com
Details	Domain	3	tiny.one
Details	Domain	31	www.esentire.com
Details	Domain	31	blog.morphisec.com
Details	Domain	19	cyberint.com
Details	Domain	281	docs.microsoft.com
Details	Domain	2	zrianevakn1.com
Details	File	27	client32.exe
Details	File	18	chromesetup.exe
Details	File	2	chromesetup.iso
Details	File	1	21m_18_033.exe
Details	File	1	autorunings.ini
Details	File	2	anprahx.exe
Details	File	1	3uairplayer.exe
Details	File	4	ixp001.tmp
Details	File	2	esitanza.exe
Details	File	533	ntdll.dll
Details	File	1	bullguardcore.exe
Details	File	5	psuaservice.exe
Details	File	1260	explorer.exe
Details	File	2	consoleappmrss.exe
Details	File	2	installer_ovl.exe
Details	File	1	debugviewportable_4_90_release_3_english_online_auejpzlt.bmp
Details	File	14	system.txt
Details	File	6	fakeurl.htm
Details	File	41	softokn3.dll
Details	File	104	sqlite3.dll
Details	File	69	vcruntime140.dll
Details	File	44	freebl3.dll
Details	File	51	mozglue.dll
Details	File	51	msvcp140.dll
Details	File	71	nss3.dll
Details	File	2	c:\\programdata\\nss3.dll
Details	File	99	passwords.txt
Details	File	20	screenshot.jpg
Details	File	1	%s.zip
Details	md5	2	115d1ae8b95551108b3a902e48b3f163
Details	md5	2	37c24b4b6ada4250bc7c60951c5977c0
Details	sha1	2	b15e0db8f65d7df27c07afe2981ff5a755666dce
Details	sha1	1	e57756b675ae2aa07c9ec7fa52f9de33935cbc0f
Details	sha1	2	e3c91b6246b2b9b82cebf3700c0a7093bacaa09b
Details	sha1	2	5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a
Details	sha1	2	2a2b00d0555647a6d5128b7ec87daf03a0ad568f
Details	sha1	2	3c80b89e7d4fb08aa455ddf902a3ea236d3b582a
Details	sha1	2	26136c59afe28fc6bf1b3aeba8946ac2c3ce61df
Details	sha1	2	e6f18804c94f2bca5a0f6154b1c56186d4642e6b
Details	IPv4	1	162.33.178.122
Details	IPv4	2	5.45.84.214
Details	Url	2	https://googleglstatupdt.com/lend/chromesetup.iso
Details	Url	1	http://162.33.178.122/fakeurl.htm
Details	Url	1	https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer
Details	Url	1	https://blog.morphisec.com/threat-research-mars-stealer
Details	Url	1	https://cyberint.com/blog/research/mars-stealer
Details	Url	1	https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer
Details	Url	9	https://docs.microsoft.com/en-us/windows/win32/api
Details	Url	1	https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis
Details	Url	1	https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris