SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mars_stealer (Back to overview)

Mars Stealer

3xp0rt describes Mars Stealer as an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins.

References
2022-12-29ThreatMonThreatMon Malware Research Team
@online{team:20221229:mars:5cb748d, author = {ThreatMon Malware Research Team}, title = {{Mars Stealer Analysis}}, date = {2022-12-29}, organization = {ThreatMon}, url = {https://threatmon.io/mars-stealer-malware-analysis-threatmon/}, language = {English}, urldate = {2023-02-17} } Mars Stealer Analysis
Mars Stealer
2022-12-18ZAYOTEMÖmer Faruk Kayıkcı, Nisanur Çıldız, Meryem Ahıskalı
@online{kaykc:20221218:mars:dc1db9a, author = {Ömer Faruk Kayıkcı and Nisanur Çıldız and Meryem Ahıskalı}, title = {{Mars Stealer Technical Analysis Report}}, date = {2022-12-18}, organization = {ZAYOTEM}, url = {https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view}, language = {English}, urldate = {2022-12-20} } Mars Stealer Technical Analysis Report
Mars Stealer
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2022-08-02Recorded FutureInsikt Group
@techreport{group:20220802:initial:5caddb5, author = {Insikt Group}, title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}}, date = {2022-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf}, language = {English}, urldate = {2022-08-05} } Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-08-02cybleCyble Research Labs
@online{labs:20220802:fake:9770cab, author = {Cyble Research Labs}, title = {{Fake Atomic Wallet Website Distributing Mars Stealer}}, date = {2022-08-02}, organization = {cyble}, url = {https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/}, language = {English}, urldate = {2022-08-08} } Fake Atomic Wallet Website Distributing Mars Stealer
Mars Stealer
2022-07-13KELAKELA Cyber Intelligence Center
@online{center:20220713:next:b2e43e4, author = {KELA Cyber Intelligence Center}, title = {{The Next Generation of Info Stealers}}, date = {2022-07-13}, organization = {KELA}, url = {https://ke-la.com/information-stealers-a-new-landscape/}, language = {English}, urldate = {2022-07-18} } The Next Generation of Info Stealers
Arkei Stealer Azorult BlackGuard Eternity Stealer Ginzo Stealer Mars Stealer MetaStealer Raccoon RedLine Stealer Vidar
2022-05-21Github (x-junior)Mohamed Ashraf
@online{ashraf:20220521:deep:0e3523b, author = {Mohamed Ashraf}, title = {{Deep Analysis of Mars Stealer}}, date = {2022-05-21}, organization = {Github (x-junior)}, url = {https://x-junior.github.io/malware%20analysis/MarsStealer/}, language = {English}, urldate = {2022-05-23} } Deep Analysis of Mars Stealer
Mars Stealer
2022-05-18eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220518:esentire:662b9d9, author = {eSentire Threat Response Unit (TRU)}, title = {{eSentire Threat Intelligence Malware Analysis: Mars Stealer}}, date = {2022-05-18}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer}, language = {English}, urldate = {2022-05-24} } eSentire Threat Intelligence Malware Analysis: Mars Stealer
Mars Stealer
2022-05-17Microsoft SecurityBerman Enconado, Laurie Kirk
@online{enconado:20220517:in:c234e4d, author = {Berman Enconado and Laurie Kirk}, title = {{In hot pursuit of ‘cryware’: Defending hot wallets from attacks}}, date = {2022-05-17}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/}, language = {English}, urldate = {2022-05-25} } In hot pursuit of ‘cryware’: Defending hot wallets from attacks
Mars Stealer RedLine Stealer
2022-04-20InfoSec InstitutePedro Tavares
@online{tavares:20220420:mars:6bb8872, author = {Pedro Tavares}, title = {{Mars Stealer malware analysis}}, date = {2022-04-20}, organization = {InfoSec Institute}, url = {https://resources.infosecinstitute.com/topic/mars-stealer-malware-analysis/}, language = {English}, urldate = {2022-07-25} } Mars Stealer malware analysis
Mars Stealer
2022-04-11eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220411:fake:e57b0f2, author = {eSentire Threat Response Unit (TRU)}, title = {{Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer}}, date = {2022-04-11}, organization = {eSentire}, url = {https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer}, language = {English}, urldate = {2022-05-24} } Fake Chrome Setup Leads to NetSupportManager RAT and Mars Stealer
Mars Stealer NetSupportManager RAT
2022-04-10Bleeping ComputerBill Toulas
@online{toulas:20220410:new:1241933, author = {Bill Toulas}, title = {{New Meta information stealer distributed in malspam campaign}}, date = {2022-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/}, language = {English}, urldate = {2022-05-05} } New Meta information stealer distributed in malspam campaign
BlackGuard Mars Stealer Raccoon
2022-04-07SekoiaThreat & Detection Research Team
@online{team:20220407:mars:9a72e1f, author = {Threat & Detection Research Team}, title = {{Mars, a red-hot information stealer}}, date = {2022-04-07}, organization = {Sekoia}, url = {https://blog.sekoia.io/mars-a-red-hot-information-stealer/}, language = {English}, urldate = {2022-04-08} } Mars, a red-hot information stealer
Mars Stealer
2022-04-05Malwarebytes LabsAnkur Saini, Hossein Jazi, Jérôme Segura
@online{saini:20220405:colibri:ee97c2e, author = {Ankur Saini and Hossein Jazi and Jérôme Segura}, title = {{Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique}}, date = {2022-04-05}, organization = {Malwarebytes Labs}, url = {https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/}, language = {English}, urldate = {2022-06-09} } Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique
Colibri Loader Mars Stealer
2022-03-30Cert-UACert-UA
@online{certua:20220330:mass:5bc04fd, author = {Cert-UA}, title = {{Mass distribution of the MarsStealer malware among citizens of Ukraine and domestic organizations (CERT-UA#4315)}}, date = {2022-03-30}, organization = {Cert-UA}, url = {https://cert.gov.ua/article/38606}, language = {Ukrainian}, urldate = {2022-04-04} } Mass distribution of the MarsStealer malware among citizens of Ukraine and domestic organizations (CERT-UA#4315)
Mars Stealer
2022-03-29MorphisecArnold Osipov
@online{osipov:20220329:exclusive:37a9d8b, author = {Arnold Osipov}, title = {{Exclusive Threat Research: Mars (Stealer) Attacks!}}, date = {2022-03-29}, organization = {Morphisec}, url = {https://blog.morphisec.com/threat-research-mars-stealer}, language = {English}, urldate = {2022-03-31} } Exclusive Threat Research: Mars (Stealer) Attacks!
Mars Stealer
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220323:arkei:f9a44a4, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468}, language = {English}, urldate = {2023-04-25} } Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Oski Stealer Vidar
2022-03-23InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20220323:arkei:b2a08f5, author = {Brad Duncan}, title = {{Arkei Variants: From Vidar to Mars Stealer}}, date = {2022-03-23}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/diary/rss/28468}, language = {English}, urldate = {2022-03-25} } Arkei Variants: From Vidar to Mars Stealer
Arkei Stealer Mars Stealer Vidar
2022-02-22CyberIntShmuel Gihon
@online{gihon:20220222:like:5154c54, author = {Shmuel Gihon}, title = {{Like Father Like Son? New Mars Stealer}}, date = {2022-02-22}, organization = {CyberInt}, url = {https://cyberint.com/blog/research/mars-stealer/}, language = {English}, urldate = {2022-03-23} } Like Father Like Son? New Mars Stealer
Mars Stealer Oski Stealer
2022-02-013xp0rt3xp0rt
@online{3xp0rt:20220201:mars:3ff37ea, author = {3xp0rt}, title = {{Mars Stealer: Oski refactoring}}, date = {2022-02-01}, organization = {3xp0rt}, url = {https://3xp0rt.com/posts/mars-stealer}, language = {English}, urldate = {2022-04-15} } Mars Stealer: Oski refactoring
Mars Stealer Oski Stealer
Yara Rules
[TLP:WHITE] win_mars_stealer_auto (20230715 | Detects win.mars_stealer.)
rule win_mars_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.mars_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b15???????? 52 e8???????? 83c40c e8???????? }
            // n = 5, score = 100
            //   8b15????????         |                     
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   e8????????           |                     

        $sequence_1 = { e8???????? 83c40c 6888130000 8d95f0d8ffff 52 e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   6888130000           | push                0x1388
            //   8d95f0d8ffff         | lea                 edx, [ebp - 0x2710]
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_2 = { 8b45f8 c7404800000000 8b4df8 c7417c00000000 837d0800 0f848f000000 8b5508 }
            // n = 7, score = 100
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   c7404800000000       | mov                 dword ptr [eax + 0x48], 0
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   c7417c00000000       | mov                 dword ptr [ecx + 0x7c], 0
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   0f848f000000         | je                  0x95
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_3 = { ff15???????? 83c404 8945e8 8b55e8 8955fc 8b4508 8945e4 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   83c404               | add                 esp, 4
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax

        $sequence_4 = { 8b148d68654100 8955fc 837dfc00 7427 8b45f4 8b4d08 8b55ec }
            // n = 7, score = 100
            //   8b148d68654100       | mov                 edx, dword ptr [ecx*4 + 0x416568]
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   837dfc00             | cmp                 dword ptr [ebp - 4], 0
            //   7427                 | je                  0x29
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_5 = { 55 8bec c705????????ac304100 c705????????c4304100 c705????????d4304100 c705????????e4304100 }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   c705????????ac304100     |     
            //   c705????????c4304100     |     
            //   c705????????d4304100     |     
            //   c705????????e4304100     |     

        $sequence_6 = { 8bb540fbffff 33c0 f3a7 0f851c020000 6a00 }
            // n = 5, score = 100
            //   8bb540fbffff         | mov                 esi, dword ptr [ebp - 0x4c0]
            //   33c0                 | xor                 eax, eax
            //   f3a7                 | repe cmpsd          dword ptr [esi], dword ptr es:[edi]
            //   0f851c020000         | jne                 0x222
            //   6a00                 | push                0

        $sequence_7 = { a1???????? 50 8b0d???????? 51 ff15???????? 68???????? 8b15???????? }
            // n = 7, score = 100
            //   a1????????           |                     
            //   50                   | push                eax
            //   8b0d????????         |                     
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   68????????           |                     
            //   8b15????????         |                     

        $sequence_8 = { c745dc00000000 c745e000000000 c745e400000000 8d55c4 52 ff15???????? 6a3c }
            // n = 7, score = 100
            //   c745dc00000000       | mov                 dword ptr [ebp - 0x24], 0
            //   c745e000000000       | mov                 dword ptr [ebp - 0x20], 0
            //   c745e400000000       | mov                 dword ptr [ebp - 0x1c], 0
            //   8d55c4               | lea                 edx, [ebp - 0x3c]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   6a3c                 | push                0x3c

        $sequence_9 = { e9???????? 6804010000 8d9550e9ffff 52 e8???????? }
            // n = 5, score = 100
            //   e9????????           |                     
            //   6804010000           | push                0x104
            //   8d9550e9ffff         | lea                 edx, [ebp - 0x16b0]
            //   52                   | push                edx
            //   e8????????           |                     

    condition:
        7 of them and filesize < 219136
}
Download all Yara Rules