SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mars_stealer (Back to overview)

Mars Stealer


3xp0rt describes Mars Stealer as an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins.

References
2022-05-21Github (x-junior)Mohamed Ashraf
@online{ashraf:20220521:deep:0e3523b, author = {Mohamed Ashraf}, title = {{Deep Analysis of Mars Stealer}}, date = {2022-05-21}, organization = {Github (x-junior)}, url = {https://x-junior.github.io/malware%20analysis/MarsStealer/}, language = {English}, urldate = {2022-05-23} } Deep Analysis of Mars Stealer
Mars Stealer
2022-05-18eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220518:esentire:662b9d9, author = {eSentire Threat Response Unit (TRU)}, title = {{eSentire Threat Intelligence Malware Analysis: Mars Stealer}}, date = {2022-05-18}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer}, language = {English}, urldate = {2022-05-24} } eSentire Threat Intelligence Malware Analysis: Mars Stealer
Mars Stealer
2022-05-17Microsoft SecurityBerman Enconado, Laurie Kirk
@online{enconado:20220517:in:c234e4d, author = {Berman Enconado and Laurie Kirk}, title = {{In hot pursuit of ‘cryware’: Defending hot wallets from attacks}}, date = {2022-05-17}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/}, language = {English}, urldate = {2022-05-25} } In hot pursuit of ‘cryware’: Defending hot wallets from attacks
Mars Stealer RedLine Stealer
2022-04-11eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220411:fake:e57b0f2, author = {eSentire Threat Response Unit (TRU)}, title = {{Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer}}, date = {2022-04-11}, organization = {eSentire}, url = {https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer}, language = {English}, urldate = {2022-05-24} } Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer
Mars Stealer NetSupportManager RAT
2022-04-10Bleeping ComputerBill Toulas
@online{toulas:20220410:new:1241933, author = {Bill Toulas}, title = {{New Meta information stealer distributed in malspam campaign}}, date = {2022-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/}, language = {English}, urldate = {2022-05-05} } New Meta information stealer distributed in malspam campaign
BlackGuard Mars Stealer Raccoon
2022-04-07SekoiaThreat & Detection Research Team
@online{team:20220407:mars:9a72e1f, author = {Threat & Detection Research Team}, title = {{Mars, a red-hot information stealer}}, date = {2022-04-07}, organization = {Sekoia}, url = {https://blog.sekoia.io/mars-a-red-hot-information-stealer/}, language = {English}, urldate = {2022-04-08} } Mars, a red-hot information stealer
Mars Stealer
2022-04-05Malwarebytes LabsAnkur Saini, Hossein Jazi, Jérôme Segura
@online{saini:20220405:colibri:ee97c2e, author = {Ankur Saini and Hossein Jazi and Jérôme Segura}, title = {{Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique}}, date = {2022-04-05}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/}, language = {English}, urldate = {2022-06-09} } Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
Colibri Loader Mars Stealer
2022-03-30Cert-UACert-UA
@online{certua:20220330:mass:5bc04fd, author = {Cert-UA}, title = {{Mass distribution of the MarsStealer malware among citizens of Ukraine and domestic organizations (CERT-UA#4315)}}, date = {2022-03-30}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38606}, language = {Ukrainian}, urldate = {2022-04-04} } Mass distribution of the MarsStealer malware among citizens of Ukraine and domestic organizations (CERT-UA#4315)
Mars Stealer
2022-03-29MorphisecArnold Osipov
@online{osipov:20220329:exclusive:37a9d8b, author = {Arnold Osipov}, title = {{Exclusive Threat Research: Mars (Stealer) Attacks!}}, date = {2022-03-29}, organization = {Morphisec}, url = {https://blog.morphisec.com/threat-research-mars-stealer}, language = {English}, urldate = {2022-03-31} } Exclusive Threat Research: Mars (Stealer) Attacks!
Mars Stealer
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220323:arkei:b2a08f5, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28468}, language = {English}, urldate = {2022-03-25} } Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Vidar
2022-02-22CyberIntShmuel Gihon
@online{gihon:20220222:like:5154c54, author = {Shmuel Gihon}, title = {{Like Father Like Son? New Mars Stealer}}, date = {2022-02-22}, organization = {CyberInt}, url = {https://cyberint.com/blog/research/mars-stealer/}, language = {English}, urldate = {2022-03-23} } Like Father Like Son? New Mars Stealer
Mars Stealer Oski Stealer
2022-02-013xp0rt3xp0rt
@online{3xp0rt:20220201:mars:3ff37ea, author = {3xp0rt}, title = {{Mars Stealer: Oski refactoring}}, date = {2022-02-01}, organization = {3xp0rt}, url = {https://3xp0rt.com/posts/mars-stealer}, language = {English}, urldate = {2022-04-15} } Mars Stealer: Oski refactoring
Mars Stealer Oski Stealer
Yara Rules
[TLP:WHITE] win_mars_stealer_auto (20220516 | Detects win.mars_stealer.)
rule win_mars_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.mars_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4d08 51 e8???????? 83c418 8d95b0fdffff }
            // n = 5, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8d95b0fdffff         | lea                 edx, [ebp - 0x250]

        $sequence_1 = { 52 ff15???????? 6a04 8d8558e6ffff 50 e8???????? c7855ce6ffff00000000 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   ff15????????         |                     
            //   6a04                 | push                4
            //   8d8558e6ffff         | lea                 eax, [ebp - 0x19a8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   c7855ce6ffff00000000     | mov    dword ptr [ebp - 0x19a4], 0

        $sequence_2 = { 8b4dfc 898d48e9ffff 8b9548e9ffff 83ea01 899548e9ffff 83bd48e9ffff04 0f8715010000 }
            // n = 7, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   898d48e9ffff         | mov                 dword ptr [ebp - 0x16b8], ecx
            //   8b9548e9ffff         | mov                 edx, dword ptr [ebp - 0x16b8]
            //   83ea01               | sub                 edx, 1
            //   899548e9ffff         | mov                 dword ptr [ebp - 0x16b8], edx
            //   83bd48e9ffff04       | cmp                 dword ptr [ebp - 0x16b8], 4
            //   0f8715010000         | ja                  0x11b

        $sequence_3 = { 8d8598faffff 50 e8???????? 83c418 8b4d1c 51 }
            // n = 6, score = 100
            //   8d8598faffff         | lea                 eax, [ebp - 0x568]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8b4d1c               | mov                 ecx, dword ptr [ebp + 0x1c]
            //   51                   | push                ecx

        $sequence_4 = { 8d85e8feffff 50 68???????? 8b4df8 51 e8???????? 83c418 }
            // n = 7, score = 100
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   50                   | push                eax
            //   68????????           |                     
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_5 = { 8b95f4f9ffff 52 8d85f8f9ffff 50 ff15???????? 034518 }
            // n = 6, score = 100
            //   8b95f4f9ffff         | mov                 edx, dword ptr [ebp - 0x60c]
            //   52                   | push                edx
            //   8d85f8f9ffff         | lea                 eax, [ebp - 0x608]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   034518               | add                 eax, dword ptr [ebp + 0x18]

        $sequence_6 = { 51 ff15???????? 8d95a8fcffff 52 8d85a0fbffff }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8d95a8fcffff         | lea                 edx, [ebp - 0x358]
            //   52                   | push                edx
            //   8d85a0fbffff         | lea                 eax, [ebp - 0x460]

        $sequence_7 = { 51 ff15???????? 8bf0 037518 8b95f4f9ffff }
            // n = 5, score = 100
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   037518               | add                 esi, dword ptr [ebp + 0x18]
            //   8b95f4f9ffff         | mov                 edx, dword ptr [ebp - 0x60c]

        $sequence_8 = { 50 e8???????? 83c408 6888130000 8d8d78ecffff 51 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   6888130000           | push                0x1388
            //   8d8d78ecffff         | lea                 ecx, [ebp - 0x1388]
            //   51                   | push                ecx

        $sequence_9 = { 50 e8???????? 6804010000 8d8db0fdffff 51 e8???????? }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   6804010000           | push                0x104
            //   8d8db0fdffff         | lea                 ecx, [ebp - 0x250]
            //   51                   | push                ecx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 219136
}
Download all Yara Rules