Mars Stealer (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.mars_stealer (Back to overview)

Mars Stealer

VTCollection

3xp0rt describes Mars Stealer as an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins.

References

2023-11-15 ⋅ Viuleeenz ⋅ Alessandro Strino
Applied Emulation - Analysis of MarsStealer
Mars Stealer

2022-12-29 ⋅ ThreatMon ⋅ ThreatMon Malware Research Team
Mars Stealer Analysis
Mars Stealer

2022-12-18 ⋅ ZAYOTEM ⋅ Meryem Ahıskalı, Nisanur Çıldız, Ömer Faruk Kayıkcı
Mars Stealer Technical Analysis Report
Mars Stealer

2022-09-15 ⋅ Sekoia ⋅ Threat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer

2022-08-02 ⋅ Recorded Future ⋅ Insikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar

2022-08-02 ⋅ cyble ⋅ Cyble Research Labs
Fake Atomic Wallet Website Distributing Mars Stealer
Mars Stealer

2022-07-13 ⋅ KELA ⋅ KELA Cyber Intelligence Center
The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar

2022-05-21 ⋅ Github (x-junior) ⋅ Mohamed Ashraf
Deep Analysis of Mars Stealer
Mars Stealer

2022-05-18 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: Mars Stealer
Mars Stealer

2022-05-17 ⋅ Microsoft Security ⋅ Berman Enconado, Laurie Kirk
In hot pursuit of ‘cryware’: Defending hot wallets from attacks
Mars Stealer RedLine Stealer

2022-04-20 ⋅ InfoSec Institute ⋅ Pedro Tavares
Mars Stealer malware analysis
Mars Stealer

2022-04-11 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer
Mars Stealer NetSupportManager RAT

2022-04-10 ⋅ Bleeping Computer ⋅ Bill Toulas
New Meta information stealer distributed in malspam campaign
BlackGuard Mars Stealer Raccoon

2022-04-07 ⋅ Sekoia ⋅ Threat & Detection Research Team
Mars, a red-hot information stealer
Mars Stealer

2022-04-05 ⋅ Malwarebytes Labs ⋅ Ankur Saini, Hossein Jazi, Jérôme Segura
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
Colibri Loader Mars Stealer

2022-03-30 ⋅ ⋅ Cert-UA ⋅ Cert-UA
Mass distribution of the MarsStealer malware among citizens of Ukraine and domestic organizations (CERT-UA#4315)
Mars Stealer

2022-03-29 ⋅ Morphisec ⋅ Arnold Osipov
Exclusive Threat Research: Mars (Stealer) Attacks!
Mars Stealer

2022-03-23 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Oski Stealer Vidar

2022-03-23 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Vidar

2022-02-22 ⋅ CyberInt ⋅ Shmuel Gihon
Like Father Like Son? New Mars Stealer
Mars Stealer Oski Stealer

2022-02-01 ⋅ 3xp0rt ⋅ 3xp0rt
Mars Stealer: Oski refactoring
Mars Stealer Oski Stealer

Yara Rules

[TLP:WHITE] win_mars_stealer_auto (20230808 | Detects win.mars_stealer.)

rule win_mars_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.mars_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 33049508674100 894508 8b4d0c 83c101 894d0c 8b550c }
            // n = 6, score = 100
            //   33049508674100       | xor                 eax, dword ptr [edx*4 + 0x416708]
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   83c101               | add                 ecx, 1
            //   894d0c               | mov                 dword ptr [ebp + 0xc], ecx
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]

        $sequence_1 = { 8b5118 52 8b853cfbffff 8b4814 }
            // n = 4, score = 100
            //   8b5118               | mov                 edx, dword ptr [ecx + 0x18]
            //   52                   | push                edx
            //   8b853cfbffff         | mov                 eax, dword ptr [ebp - 0x4c4]
            //   8b4814               | mov                 ecx, dword ptr [eax + 0x14]

        $sequence_2 = { 898564e6ffff 83bd64e6ffff00 0f8405030000 6a00 }
            // n = 4, score = 100
            //   898564e6ffff         | mov                 dword ptr [ebp - 0x199c], eax
            //   83bd64e6ffff00       | cmp                 dword ptr [ebp - 0x199c], 0
            //   0f8405030000         | je                  0x30b
            //   6a00                 | push                0

        $sequence_3 = { a1???????? 50 8b4d08 51 e8???????? 83c410 6a04 }
            // n = 7, score = 100
            //   a1????????           |                     
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   6a04                 | push                4

        $sequence_4 = { 8b5508 c1ea08 33148d08674100 895508 8b450c }
            // n = 5, score = 100
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   c1ea08               | shr                 edx, 8
            //   33148d08674100       | xor                 edx, dword ptr [ecx*4 + 0x416708]
            //   895508               | mov                 dword ptr [ebp + 8], edx
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_5 = { 52 8d85e8feffff 50 68???????? 8b4df8 51 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   8d85e8feffff         | lea                 eax, [ebp - 0x118]
            //   50                   | push                eax
            //   68????????           |                     
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   51                   | push                ecx

        $sequence_6 = { 837df820 0f8d61030000 6804010000 8d8de8feffff 51 e8???????? }
            // n = 6, score = 100
            //   837df820             | cmp                 dword ptr [ebp - 8], 0x20
            //   0f8d61030000         | jge                 0x367
            //   6804010000           | push                0x104
            //   8d8de8feffff         | lea                 ecx, [ebp - 0x118]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_7 = { 2b4d08 c681407c410000 8b550c 8955f8 }
            // n = 4, score = 100
            //   2b4d08               | sub                 ecx, dword ptr [ebp + 8]
            //   c681407c410000       | mov                 byte ptr [ecx + 0x417c40], 0
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8955f8               | mov                 dword ptr [ebp - 8], edx

        $sequence_8 = { 8b953cfbffff 8b4214 83c020 50 6a00 }
            // n = 5, score = 100
            //   8b953cfbffff         | mov                 edx, dword ptr [ebp - 0x4c4]
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   83c020               | add                 eax, 0x20
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_9 = { 52 8b85fcfbffff 50 ff15???????? 89857cdeffff }
            // n = 5, score = 100
            //   52                   | push                edx
            //   8b85fcfbffff         | mov                 eax, dword ptr [ebp - 0x404]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   89857cdeffff         | mov                 dword ptr [ebp - 0x2184], eax

    condition:
        7 of them and filesize < 219136
}

Download all Yara Rules

Mars Stealer Propose Change

References

Yara Rules

Mars Stealer