{ "id": "11991f1f-563a-48f6-b4e6-e0dc0976a42d", "created_at": "2026-04-06T00:08:38.771624Z", "updated_at": "2026-04-10T03:37:08.859979Z", "deleted_at": null, "sha1_hash": "2bd881edb60dd9fdeb4bc6ff92caf0e4f8edb569", "title": "Deep Analysis of Mars Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1064277, "plain_text": "Deep Analysis of Mars Stealer\r\nBy Mohamed Ashraf\r\nPublished: 2022-05-19 · Archived: 2026-04-05 17:58:13 UTC\r\n28 minute read\r\nIntroductionPermalink\r\nMars Stealer is an improved copy of Oski Stealer. I saw alot of tweets recently about it so i decided to write an\r\nanalysis of the newer version V8. Enjoy reading!\r\nDiffrences from the previous version:\r\n1. Anti analysis technique\r\n2. Diffrent encryption algoithm\r\n3. Introudcing new anti debug technique\r\n4. New configuration format\r\n5. External dlls are in one zip file\r\nOverviewPermalink\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 1 of 32\n\nAnti-AnalysisPermalink\r\nOpening mars stealer in ida we can see an anti-analysis trick called Opaque Predicates it’s a commonly used\r\ntechnique in program obfuscation, intended to add complexity to the control flow.\r\nThis obfuscation simply takes an absolute jump (JMP) and transforms it into two conditional jumps (JZ/JNZ).\r\nDepending on the value of the Zero flag (ZF), the execution will follow the first or second branch.\r\nHowever, disassemblers are tricked into thinking that there is a fall-through branch if the second jump is not taken\r\n(which is impossible as one of them must be taken) and tries to disassemble the unreachable instructions (often\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 2 of 32\n\ninvalid) resulting in garbage code.\r\nthe deobfuscation is simple, we just need to patch the first conditional jump to an absolute jump and nop out the\r\nsecond jump, we can use IDAPython to achieve this:\r\nimport idc\r\nea = 0\r\nwhile True:\r\n ea = min(ida_search.find_binary(ea,idc.BADADDR, \"74 ? 75 ?\",16 ,idc.SEARCH_NEXT | idc.SEARCH_DOWN), # JZ / JN\r\n ida_search.find_binary(ea,idc.BADADDR, \"75 ? 74 ?\",16, idc.SEARCH_NEXT | idc.SEARCH_DOWN)) # JNZ / JZ\r\n if ea == idc.BADADDR:\r\n break\r\n idc.patch_byte(ea, 0xEB)\r\n idc.patch_byte(ea+2, 0x90)\r\n idc.patch_byte(ea+3, 0x90)\r\n idc.patch_byte(ea+4, 0x90)\r\nAfter Running the Script\r\nnow we can see a clear view , after reversing and renaming\r\nFirst Mars get a handle to kernel32.dll by parsing InLoadOrderModuleList then it passes the handle to a fucntion\r\nthat loops over the exported functions of the DLL to get the address of the LocalAlloc() and VirtualProtect()\r\nfunctions.\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 3 of 32\n\nString EncryptionPermalink\r\nAfter that it decrypts some strings used for some checks , the decryption is a simple xor function\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 4 of 32\n\nWe can although see that the xor function is refrenced in another function which i renamed as Decrypt_String_2 if\r\nthe malware passes the checks which we will see soon it decrypt those string which contanis strings needed for the\r\nmalware to steal sensitive data .\r\nWe use idapython script to get those strings and rename the variables to make reversing easier\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 5 of 32\n\nimport string\r\ndef sanitize_string(name):\r\n return \"\".join([c for c in name if c in string.ascii_letters])[:20].capitalize()\r\ndef X0r(key, data, length):\r\n res = \"\"\r\n for i in range(length):\r\n res += chr(key[i] ^ data[i])\r\n return res\r\nstart_Addrs = [0x00401770,0x00401990 ]\r\nend_Addrs = [0x00401967,0x0405444 ]\r\nstring_list = []\r\ndectypred_data = b''\r\naddrs = []\r\nfor i in range(len(start_Addrs)):\r\n ea = start_Addrs[i]\r\n end = end_Addrs[i]\r\n while ea \u003c= end:\r\n if idc.get_operand_type(ea, 0) == idc.o_imm:\r\n addrs.append((idc.get_operand_value(ea, 0)))\r\n if len(addrs) == 3:\r\n length = addrs[0]\r\n data = idc.get_bytes(addrs[1], length)\r\n key = idc.get_bytes(addrs[2], length)\r\n dectypred_data = X0r(key, data, length)\r\n string_list.append(dectypred_data)\r\n addrs = []\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 6 of 32\n\nif idc.print_insn_mnem(ea) == \"call\":\r\n idc.set_cmt(ea, dectypred_data, 1)\r\n if idc.print_insn_mnem(ea) == \"mov\" and (idc.get_operand_type(ea, 0) == idc.o_mem) and (\r\n idc.get_operand_type(ea, 1) == idc.o_reg):\r\n global_var = idc.get_operand_value(ea, 0)\r\n idc.set_name(global_var, \"Str\" + sanitize_string(dectypred_data), SN_NOWARN)\r\n ea = idc.next_head(ea, end)\r\nHere is a list of the decrypted strings :\r\nExpand to see more\r\n  LoadLibraryA\r\n  GetProcAddress\r\n  ExitProcess\r\n  advapi32.dll\r\n  crypt32.dll\r\n  GetTickCount\r\n  Sleep\r\n  GetUserDefaultLangID\r\n  CreateMutexA\r\n  GetLastError\r\nDynamic linkingPermalink\r\nThe adress of GetProcAddress() and LoadLibraryA() is retrieved by the same method in Dynamic_Linking_1\r\nlooping over the exported functions of the kernel32.DLL , then it uses LoadLibraryA() to Load the specified\r\nmodule into the address space and get a handle that get passed to GetProcAddress() to retrieve the address of an\r\nexported function from the specified dynamic-link library.\r\nDynamic_Linking_2 is loading the APIs only needed to do some checks if it passes it will load others needed for\r\nstealing functionality.\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 7 of 32\n\ndword_42774 is GetProcAddress() it is called in other function which is Dynamic_Linking_3 that will load other\r\nAPIs needed for stealing functionality.\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 8 of 32\n\nWe use idapython to rename the global variables with the api name to make reversing easier\r\nimport idc\r\nstart_Addrs = [0x00415F86,0x00415FC0 ,0x004161A0 ]\r\nend_Addrs = [0x00415FB7,0x00416176,0x00417034]\r\nstring_list = []\r\nfor i in range(len(start_Addrs)):\r\n ea = start_Addrs[i]\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 9 of 32\n\nend = end_Addrs[i]\r\n while ea \u003c= end:\r\n if (idc.print_insn_mnem(ea) == \"push\" )and (idc.get_operand_type(ea, 0) == idc.o_imm):\r\n name = idc.get_strlit_contents(idc.get_operand_value(ea, 0)).decode()\r\n if (idc.print_insn_mnem(ea) == \"mov\" and (idc.get_operand_type(ea, 0) == idc.o_reg)and (idc.get_operand_ty\r\n temp_name = idc.get_name(idc.get_operand_value(ea, 1))\r\n if \"Str_\" == temp_name[0:4]:\r\n name = temp_name[4::]\r\n if (idc.print_insn_mnem(ea) == \"mov\") and (idc.get_operand_type(ea, 0) == idc.o_mem) and (idc.get_operand_t\r\n global_var = idc.get_operand_value(ea, 0)\r\n idc.set_name(global_var, name, SN_NOWARN)\r\n ea = idc.next_head(ea, end)\r\nAnti-SandboxPermalink\r\nSince a lot of sandboxes hook and bypass Sleep() preventing malware being idle over their execution time. The\r\nmalware first calls GetTickCount() function that retrieves the number of milliseconds that have elapsed since the\r\nsystem was started, up to 49.7 days, that is our first timestamp. Then calls the Sleep() to suspend itself for 16\r\nseconds. calling GetTickCount() again gets our second timestamp . The malware checks if at least 12 seconds\r\ndiffrence between the 2 timestampes . If the function returns flase it means that the Sleep() hasn’t been skipped the\r\nmalware assumes that it is running in a sandbox and exits immediately.\r\nAnti-CISPermalink\r\nThis is one of the easy tricks to check if the malware is not infected users from specific countries.\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 10 of 32\n\nMars checks the user language to determine if it’s part of the Commonwealth of Independent States (CIS) countrie it\r\ngets the user language ID by using GetUserDefaultLangID and it compares the user language ID to:\r\nLanguage ID Country\r\n0x43F Kazakhstan\r\n0x443 Uzbekistan\r\n0x82C Azerbaijan\r\n0x43Fu Kazakhstan\r\n0x419u Russia\r\n0x423u Belarus\r\nIf the user language ID matches one of the IDs above, it will exit.\r\nAnti-EmulationPermalink\r\nIf the malware is executed with the computer name HAL9TH and the username with JohnDoe it will exit . This\r\ncheck is done because it is the name given to the Windows Defender Emulator, this technique is used by malware to\r\nprevent itself from running in an emulated environment.\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 11 of 32\n\nMutexPermalink\r\nThe malware creates a mutex object using CreateMutexA() to avoid having more than one instance running. Then\r\ncalls GetLastError() which gets the last error, and if the error code is equal to 183 (ERROR_ALREADY_EXIST)\r\nit means that mutex already exists and an instance of the malware is already running therefore malware exits.\r\nAnti-DebugPermalink\r\nThe malware create thread that checks BeingDebugged flag which is Special flag in system tables, which dwell in\r\nprocess memory and which an operation system sets, can be used to indicate that the process is being debugged. The\r\nstates of these flags can be verified either by using specific API functions or examining the system tables in memory.\r\nIf the malware is being debugged it exits . The thread is going to keep running until the malware finishes excution or\r\nthe thread end the malware excution if its being debugged .\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 12 of 32\n\nExpiration checkPermalink\r\nThe Expiration date variable contains the date 26/04/2022 20:00:00.\r\nMars uses GetSystemTime() to get current system date and time as SYSTEMTIME structe, then calls sscanf() to\r\nparse the Expiration date to a SYSTEMTIME structe . SystemTimeToFileTime() take SYSTEMTIME structe as\r\nargument then convert it to file time and Expiration date although is converted to file time.\r\nIf the current time exceedes the Expiration time, the malware calls ExitProcess() to exit immediately.\r\nMain FunctionalityPermalink\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 13 of 32\n\nMars generate random string that will be the name of the zip file contains stolen data.\r\nThe communications between c2 and the malware is described as:\r\n1. sends a GET request to the C2 URL on the /RyC66VfSGP.php endpoint to grab its configuration .\r\n2. fetches all DLLs on the /request endpoint, the libraries are zipped\r\n3. Stolen data are posted to the C2 on the same URL used in step 1.\r\nDlls retrieved:\r\nDLL Name Description Save path\r\nsqlite3.dll Enables SQLite related operations\r\nnone (mars doesnt write it on disk, parsed from\r\nmemory)\r\nfreebl3.dll\r\nLibrary for the NSS (Gecko-based\r\nbrowsers)\r\nC:\\ProgramData\\freebl3.dll\r\nmozglue.dll Mozilla Browser Library C:\\ProgramData\\mozglue.dll\r\nmsvcp140.dll Visual C++ Runtime 2015 C:\\ProgramData\\msvcp140.dll\r\nnss3.dll\r\nNetwork System Services Library\r\n(Gecko-based browsers)\r\nC:\\ProgramData\\nss3.dll\r\nsoftokn3.dll Mozilla Browser Library C:\\ProgramData\\softokn3.dll\r\nvcruntime140.dll Visual C++ Runtime 2015 C:\\ProgramData\\vcruntime140.dll\r\nAnother diffrence from the last version is that sqlite3 isnt written on disk, it just get parsed and passed to another\r\nfunction to get handle to it and start loading needed function , the other dll are written .\r\nSince the C2 was down i got the pcap from Hatching sandbox.\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 14 of 32\n\nUnderstanding Configuration FormatPermalink\r\nconfiguration is base64 encoded\r\nMXwxfDF8MXwxfDVxRGxQdVZLb1J8RGlzY29yZHwwfCVBUFBEQVRBJVxkaXNjb3JkXExvY2FsIFN0b3JhZ2VcfCp8MXwwfDB8VGVsZWdyYW1\r\n8MHwlQVBQREFUQSVcVGVsZWdyYW0gRGVza3RvcFx0ZGF0YVx8KkQ4NzdGNzgzRDVEM0VGOEMqLCptYXAqLCpjb25maWdzKnwxfDB8MHw=\r\n1|1|1|1|1|5qDlPuVKoR|Discord|0|%APPDATA%\\discord\\Local Storage\\ |*|1|0|0|Telegram|0|%APPDATA%\\Telegram\r\nDesktop\\tdata\\ |*D877F783D5D3EF8C*,*map*,*configs*|1|0|0|\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 15 of 32\n\nimport base64\r\nconfig = base64.b64decode(\"MXwxfDF8MXwxfDVxRGxQdVZLb1J8RGlzY29yZHwwfCVBUFBEQVRBJVxkaXNjb3JkXExvY2FsIFN0b3JhZ2VcfCp8\r\nconfig = config.split(\"|\")\r\nprint(\"First Part : \\n\" ,config[0:6])\r\nprint(\"Second Part :\" )\r\nfor i in range(6,len(config),7):\r\n print(config[i:i+7])\r\nFirst Part :\r\n ['1', '1', '1', '1', '1', '5qDlPuVKoR']\r\nSecond Part :\r\n['Discord', '0', '%APPDATA%\\\\discord\\\\Local Storage\\\\', '*', '1', '0', '0']\r\n['Telegram', '0', '%APPDATA%\\\\Telegram Desktop\\tdata\\\\', '*D877F783D5D3EF8C*,*map*,*configs*', '1', '0', '0']\r\nFirst part\r\nConfig Meaning\r\n1 Downloads_history_Flag\r\n1 Browser_History_Flag\r\n1 Autofill_Flag\r\n1 ScreenShoot_Flag\r\n1 Self_Deletion_Flag\r\n5qDlPuVKoR Explorer Credentials FileName\r\nSecond part\r\nConfig Meaning\r\nDiscord\r\nname for the zip file – will contain all the stolen files that related to the\r\ncurrent task.so the name for the zip will be name.zip.\r\n0 maybe max size (no indecation of use)\r\n%APPDATA%\\discord\\Local\r\nStorage\\\r\nAn environment variable name and folder name – a starting point for the\r\nrecursive Grabber.\r\n*\r\nA regex list – contains multiply parameters that are separated by “,” each\r\none of them is a regex that represents a file type.\r\n1 is_Recursive\r\n0 Write to zip enabled if 0\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 16 of 32\n\nConfig Meaning\r\n0 Exclusion List\r\nGrabberPermalink\r\nlets dig into Config_Grabber function to see how you it works\r\nafter receiving the config we can see the it has a lot of | so it split the config with | delimiter and loop through\r\nthe splited config. the first part enables/disable some of the stealer functionality then it starts in part 2 which start\r\ngrapping files wanted.\r\nas example\r\n[‘Discord’, ‘0’, ‘%APPDATA%\\discord\\Local Storage\\’, ‘*’, ‘1’, ‘0’, ‘0’]\r\nit start recurseively grabbing all files in discord\\\\Local Storage\\\\ under %APPDATA% and put them in discord.zip\r\nIf there is more than one regex as in\r\n[‘Telegram’, ‘0’, ‘%APPDATA%\\Telegram Desktop\\tdata\\’, ‘D877F783D5D3EF8C,map,configs’, ‘1’, ‘0’,\r\n‘0’]\r\nit loops through them and call Recursive_Grabber with each regex .\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 17 of 32\n\nBrowsersPermalink\r\nMars steals credentials from browsers by static paths. It has four different methods to steal data from different types\r\nof browses, like Gecko-based browsers, Opera, Internet Explorer and Chromium-based browsers.\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 18 of 32\n\nAll the extraction functions have the same scheme:\r\n1. The malware saves the addresses of the functions from sqlite3.dll\r\nsqlite3_open\r\nsqlite3_prepare_v2\r\nsqlite3_step\r\nsqlite3_column_bytes\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 19 of 32\n\nsqlite3_column_blob\r\nsqlite3_column_text\r\nsqlite3_column_finalize\r\nsqlite3_column_close\r\n2. It generates a random string (length of 8 characters) and copies the DB file to a temp folder named like the\r\nrandom string – all the extractions methods will be on the copied DB. In order to extract the data from the DB,\r\nthe malware has to create the SQL query and query the DB using sqlite3.dll functions.\r\n3. The malware opens the DB by using sqlite3_open and passes the DB path.\r\n4. It calls to sqlite3_prepare_v2, the function gets a handle to DB and the SQL query and returns a statement\r\nhandle.\r\n5. By using sqlite3_column_bytes/sqlite3_column_blob/sqlite3_column_text, the malware can get the results\r\nfrom the queries\r\n6. The Credentials in Chromium-based browsers DB are encrypted by DPAPI and, therefore, the malware uses\r\nthe function CryptUnprotectData to decrypt the Credentials.\r\nMars steals information from the Windows Vault, which is the default storage vault for the credential manager\r\ninformation. This is done through the use of Vaultcli.dll, which encapsulates the necessary functions to access the\r\nVault. The malware loops through its items using:\r\nVaultEnumerateVaults\r\nVaultOpenVault\r\nVaultEnumerateItems\r\nVaultGetItem\r\nVaultFree\r\nTargeted DB FilesPermalink\r\nFile Name Affected Software\r\nHistory Chromium-based browsers\r\nLogin Data Chromium-based browsers\r\nCookies Chromium-based browsers\r\nWeb Data Chromium-based browsers\r\nformhistory.sqlite Gecko-based browsers\r\ncookies.sqlite Gecko-based browsers\r\nsignongs.sqlite Gecko-based browsers\r\nplaces.sqlite Gecko-based browsers\r\nQueries UsedPermalink\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 20 of 32\n\nQuery\r\nTarget\r\nBrowser\r\nEnabled\r\nSELECT target_path, tab_url from downloads\r\nchromium ,\r\nopera\r\nby default this feature is disabled,\r\nenabled if Downloads_history_Flag\r\nis set to 1\r\nSELECT name, value FROM autofill\r\nchromium ,\r\nopera\r\nby default this feature is disabled,\r\nenabled if Autofill_Flag is set to 1\r\nSELECT url FROM urls\r\nchromium ,\r\nopera\r\nby default this feature is\r\ndisabled,enabled if\r\nBrowser_History_Flag is set to 1\r\nSELECT action_url, username_value, password_value\r\nFROM logins\r\nchromium ,\r\nopera\r\nenabled by default\r\nSELECT HOST_KEY, is_httponly, path, is_secure,\r\n(expires_utc/1000000)-11644480800, name,\r\nencrypted_value from cookies\r\nchromium ,\r\nopera\r\nenabled by default\r\nSELECT name_on_card, expiration_month,\r\nexpiration_year, card_number_encrypted FROM\r\ncredit_cards\r\nchromium ,\r\nopera\r\nenabled by default\r\nSELECT host, isHttpOnly, path, isSecure, expiry, name,\r\nvalue FROM moz_cookies\r\ngecko enabled by default\r\nSELECT url FROM moz_places gecko\r\nby default this feature is\r\ndisabled,enabled if\r\nBrowser_History_Flag is set to 1\r\nSELECT fieldname, value FROM moz_formhistory gecko enabled by default\r\nCryptocurrency Wallets via browser extensionsPermalink\r\nMars appears to also target additional Chrome-based browser extensions related to two-factor authentication (2FA) .\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 21 of 32\n\nMars steal files from 3 folders :\r\n1. \\Local Extension Settings\\Extension ID from Google Store\r\n2. \\Sync Extension Settings\\ Extension ID from Google Store\r\n3. \\IndexedDB\\Domain Name.indexeddb.leveldb\r\nas example if the victim uses Google Chrome with a crypto browser wallet extension, the extension files will be\r\nstored in:\r\nC:\\Users\\Username\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\Extension ID from\r\nGoogle Store C:\\Users\\Username\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Sync Extension Settings\\\r\nExtension ID from Google Store C:\\Users\\Username\\AppData\\Local\\Google\\Chrome\\User\r\nData\\Default\\IndexedDB\\Domain Name.indexeddb.leveldb\r\nType Extension name Extension id\r\nCrypto TronLink ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nCrypto MetaMask nkbihfbeogaeaoehlefnkodbefgpgknn\r\nCrypto Binance Chain Wallet fhbohimaelbohpjbbldcngcnapndodjp\r\nCrypto Yoroi ffnbelfdoeiohenkjibnmadjiehjhajb\r\nCrypto Nifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid\r\nCrypto Math Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nCrypto Coinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad\r\nCrypto Guarda hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nCrypto EQUAL Wallet blnieiiffboillknjnepogjhkgnoapac\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 22 of 32\n\nType Extension name Extension id\r\nCrypto Jaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne\r\nCrypto BitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\nCrypto iWallet kncchdigobghenbbaddojjnnaogfppfj\r\nCrypto Wombat amkmjjmmflddogmhpjloimipbofnfjih\r\nCrypto MEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nCrypto GuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nCrypto Saturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig\r\nCrypto Ronin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec\r\nCrypto NeoLine cphhlgmgameodnhkjdmkpanlelnlohao\r\nCrypto Clover Wallet nhnkbkgjikgcigadomkphalanndcapjk\r\nCrypto Liquality Wallet kpfopkelmapcoipemfendmdcghnegimn\r\nCrypto Terra Station aiifbnbfobpmeekipheeijimdpnlpgpp\r\nCrypto Keplr dmkamcknogkgcdfhhbddcghachkejeap\r\nCrypto Sollet fhmfendgdocmcbmfikdcogofphimnkno\r\nCrypto Auro Wallet cnmamaachppnkjgnildpdmkaakejnhae\r\nCrypto Polymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf\r\nCrypto ICONex flpiciilemghbmfalicajoolhkkenfel\r\nCrypto Nabox Wallet nknhiehlklippafakaeklbeglecifhad\r\nCrypto KHC hcflpincpppdclinealmandijcmnkbgn\r\nCrypto Temple ookjlbkiijinhpmnjffcofjonbfbgaoc\r\nCrypto TezBox mnfifefkajgofkcjkemidiaecocnkjeh\r\nCrypto Cyano Wallet dkdedlpgdmmkkfjabffeganieamfklkm\r\nCrypto Byone nlgbhdfgdhgbiamfdfmbikcdghidoadd\r\nCrypto OneKey infeboajgfhgbjpjbeppbkgnabfdkdaf\r\nCrypto LeafWallet cihmoadaighcejopammfbmddcmdekcje\r\nCrypto DAppPlay lodccjjbdhfakaekdiahmedfbieldgik\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 23 of 32\n\nType Extension name Extension id\r\nCrypto BitClip ijmpgkjfkbfhoebgogflfebnmejmfbml\r\nCrypto Steem Keychain lkcjlnjfpbikmcmbachjpdbijejflpcm\r\nCrypto Nash Extension onofpnbbkehpmmoabgpcpmigafmmnjhl\r\nCrypto Hycon Lite Client bcopgchhojmggmffilplmbdicgaihlkp\r\nCrypto ZilPay klnaejjgbibmhlephnhpmaofohgkpgkd\r\nCrypto Coin98 Wallet aeachknmefphepccionboohckonoeemg\r\n2FA Authenticator bhghoamapcdpbohphigoooaddinpkbai\r\n2FA Authy gaedmjdfmmahhbjefcbgaolhhanlaolb\r\n2FA EOS Authenticator oeljdldpnmdbchonielidgobddffflal\r\n2FA GAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl\r\n2FA Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk\r\nCrypto WalletsPermalink\r\nMars does not just stop at targeting crypto currencies via browser extensions. Many people prefer not to use third-party applications and services to store their digital currency. Mars will go through various folders looking for\r\nspecific files related to cryptocurrency.\r\nThe first paramter detmerines the path if 0 then it’s under %appdata% if 1 it’s under %localappdata% then it search\r\nfor other wallets with regex *wallet*.dat under %appdata%\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 24 of 32\n\nMars have dedicated functionality to target the following crypto wallets:\r\nWallet\r\nname\r\nWallet folder Regex\r\nEthereum %appdata%\\Ethereum\\ keystore\r\nElectrum %appdata%\\Electrum\\wallets\\ .\r\nElectrum\r\nLTC\r\n%appdata%\\Electrum-LTC\\wallets\\ .\r\nExodus %appdata%\\Exodus\\\r\nexodus.conf.json, window-state.json,\r\n\\Exodus\\exodus.wallet\\, passphrase.json,\r\nseed.seco, info.seco\r\nElectron\r\nCash\r\n%appdata%\\ElectronCash\\wallets\\ default_wallet\r\nMultiDoge %appdata%\\MultiDoge\\ multidoge.wallet\r\nJaxx %appdata%\\jaxx\\Local Storage\\ file__0.localstorage\r\nAtomic %appdata%\\atomic\\Local Storage\\leveldb\\\r\n000003.log, CURRENT, LOCK, LOG,\r\nMANIFEST.000001, 0000*\r\nBinance %appdata%\\Binance\\ app-store.json\r\nCoinomi %localappdata%\\Coinomi\\Coinomi\\wallets\\ *.wallet, *.config\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 25 of 32\n\nWallet\r\nname\r\nWallet folder Regex\r\nOther\r\nwallets\r\n%appdata% *wallet*.dat\r\nSystem infoPermalink\r\nThe malware grabs system info and store it in system.txt file\r\n1. IP and country\r\n2. Working path to EXE file\r\n3. Local time and time zone\r\n4. Language system\r\n5. Language keyboard layout\r\n6. Notebook or desktop\r\n7. Processor model\r\n8. Computer name\r\n9. User name\r\n10. Domain computer name\r\n11. Machine ID\r\n12. GUID\r\n13. Installed software and their versions\r\nMars althouge takes screenshot and then add all stolen files to a zip file which it will exfiltrate back to the c2 and get\r\nloader config.\r\nLoaderPermalink\r\nMalware gets loader config as a response after exfiltrating data. This config looks like download_URL|An\r\nenvironment variable name and folder name |startup_parameter| .\r\nAfter pasring the config Mars calls download_file() function with the url and a path which the file will be saved in\r\n. Then calls ShellExecuteExA() to execute executable with give paramters retrieved from the config.\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 26 of 32\n\nSelf DeletionPermalink\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 27 of 32\n\nMalware gets the path to itself by using GetModuleFileName() and calls ShellExecuteExA() which executes the\r\nfollowing command\r\n\"C:/Windows/System32/cmd.exe\" /c timeout /t 5 \u0026 del /f / path_To_file \u0026 exit\r\nAfter 5 seconds the executable will be deleted.\r\nGeneralized idapython Script using patternsPermalink\r\nimport idautils , idc, idaapi, ida_search, ida_bytes, ida_auto\r\nimport string\r\nseg_mapping = {idaapi.getseg(x).name: (idaapi.getseg(x).start_ea, idaapi.getseg(x).end_ea) for x in\r\n idautils.Segments()}\r\nstart = seg_mapping[0x1][0]\r\nend = seg_mapping[0x1][1]\r\n \r\ndef sanitize_string(name):\r\n return \"\".join([c for c in name if c in string.ascii_letters])[:20].capitalize()\r\ndef Xor(key, data, length):\r\n res = \"\"\r\n for i in range(length):\r\n res += chr(key[i] ^ data[i])\r\n return res\r\ndef getData (addr):\r\n key_addr = idc.prev_head(addr)\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 28 of 32\n\ndata_addr = idc.prev_head(key_addr)\r\n key_length_addr = idc.prev_head(data_addr)\r\n length = idc.get_operand_value(key_length_addr, 0)\r\n key = idc.get_bytes(idc.get_operand_value(key_addr,0),length)\r\n data = idc.get_bytes(idc.get_operand_value(data_addr,0),length)\r\n return key , data ,length\r\ndef rename_APIs(ea,end):\r\n \r\n func_addr = ea\r\n for i in range(20):\r\n if (idc.print_insn_mnem(ea) == \"push\" )and (idc.get_operand_type(ea, 0) == idc.o_imm):\r\n name = idc.get_strlit_contents(idc.get_operand_value(ea, 0)).decode()\r\n break\r\n \r\n if (idc.print_insn_mnem(ea) == \"mov\" and (idc.get_operand_type(ea, 0) == idc.o_reg)and (idc.get_operand_ty\r\n temp_name = idc.get_name(idc.get_operand_value(ea, 1))\r\n if \"Str_\" == temp_name[0:4]:\r\n name = temp_name[4::]\r\n break\r\n ea = idc.prev_head(ea)\r\n \r\n ea = func_addr\r\n \r\n for i in range(20):\r\n if (idc.print_insn_mnem(ea) == \"mov\") and (idc.get_operand_type(ea, 0) == idc.o_mem) and (idc.get_operand_t\r\n global_var = idc.get_operand_value(ea, 0)\r\n idc.set_name(global_var, name, SN_NOWARN)\r\n return name\r\n ea = idc.next_head(ea, end)\r\ndef API_resolve(start,end):\r\n Loadlibrarya_addr = 0x0\r\n GetProcAddress_pattern = \"8B 55 ?? 52 8B 45 ?? 8B 4D ?? 8B 55 ?? 03 14 ?? 52 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 75\r\n GetProcAddress_addr = ida_search.find_binary(start, end, GetProcAddress_pattern, 16, idc.SEARCH_DOWN)\r\n GetProcAddress_addr = idaapi.get_func(GetProcAddress_addr).start_ea\r\n print('[*] Traget fucntion found at {}'.format(hex(GetProcAddress_addr)))\r\n for ref in idautils.XrefsTo(GetProcAddress_addr):\r\n addr = ref.frm\r\n x = rename_APIs(addr, end)\r\n if \"Loadlibrarya\" in x:\r\n Loadlibrarya_addr = idc.get_operand_value(idc.next_head(idc.next_head(addr, end), end), 0)\r\n new_GetProcAddress_addr = idc.get_operand_value(idc.next_head(idc.next_head(addr, end), end), 0)\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 29 of 32\n\nfor ref in idautils.XrefsTo(new_GetProcAddress_addr):\r\n addr = ref.frm\r\n rename_APIs(addr, end)\r\n for ref in idautils.XrefsTo(Loadlibrarya_addr):\r\n addr = ref.frm\r\n rename_APIs(addr, end)\r\n \r\ndef Strings_resolve(start,end):\r\n xor_pattern = \"8b 4d ?? 03 4d ?? 0f be 19 8b 55 ?? 52 e8 ?? ?? ?? ?? 83 c4 ?? 8b c8 8b 45 ?? 33 d2 f7 f1 8b 45\r\n xor_fun_addr = ida_search.find_binary(start, end, xor_pattern, 16, idc.SEARCH_DOWN)\r\n xor_fun_addr = idaapi.get_func(xor_fun_addr).start_ea\r\n print('[*] Traget fucntion found at {}'.format(hex(xor_fun_addr)))\r\n for ref in idautils.XrefsTo(xor_fun_addr):\r\n addr = ref.frm\r\n key, data, length = getData(addr)\r\n decrypt_string = Xor(key, data, length)\r\n idc.set_cmt(addr, decrypt_string, 1)\r\n ea = idc.next_head(idc.next_head(addr, end),end)\r\n global_var = idc.get_operand_value(ea, 0)\r\n idc.set_name(global_var, \"Str_\" + sanitize_string(decrypt_string), SN_NOWARN)\r\n \r\ndef Anit_Reverse():\r\n ea = 0\r\n while True:\r\n ea = min(ida_search.find_binary(ea, idc.BADADDR, \"74 ? 75 ?\", 16, idc.SEARCH_NEXT | idc.SEARCH_DOWN),\r\n # JZ / JNZ\r\n ida_search.find_binary(ea, idc.BADADDR, \"75 ? 74 ?\", 16,\r\n idc.SEARCH_NEXT | idc.SEARCH_DOWN)) # JNZ / JZ\r\n if ea == idc.BADADDR:\r\n break\r\n idc.patch_byte(ea, 0xEB)\r\n idc.patch_byte(ea + 2, 0x90)\r\n idc.patch_byte(ea + 3, 0x90)\r\n idc.patch_byte(ea + 4, 0x90)\r\ndef main():\r\n Anit_Reverse()\r\n Strings_resolve(start,end)\r\n API_resolve(start,end)\r\nmain()\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 30 of 32\n\nfor more Idapython scripts check my repo .\r\nIOCsPermalink\r\nHashes:\r\n1. md5 : 880924E5583978C615DD03FF89648093\r\n2. sha1 : EF759F6ECA63D6B05A7B6E395DF3571C9703278B\r\n3. sha256 : 4bcff4386ce8fadce358ef0dbe90f8d5aa7b4c7aec93fca2e605ca2cbc52218b\r\n4. imphash : 4E06C011D59529BFF8E1F1C88254B928\r\n5. ssdeep : 3072:U/E8k9fjpIg+zNch12KbAwSaSMtmSu4/bVBt4b8EG:U/E8k9bwz6/tJc/4xM8EG\r\nMutex : 92550737836278980100\r\nFiles:\r\n1. C:\\ProgramData\\freebl3.dll\r\n2. C:\\ProgramData\\mozglue.dll\r\n3. C:\\ProgramData\\msvcp140.dll\r\n4. C:\\ProgramData\\nss3.dll\r\n5. C:\\ProgramData\\softokn3.dll\r\n6. C:\\ProgramData\\vcruntime140.dll\r\nC2 Server : 194.87.218.39\r\nC2 Domains:\r\n1. http://194[.]87[.]218[.]39/request\r\n2. http://194[.]87[.]218[.]39/RyC66VfSGP[.]php\r\nYARAPermalink\r\nrule Mars_Stealer: Mars Stealer\r\n{\r\n meta:\r\n Author = \"X__Junior\"\r\n Description = \"Mars Stealer v8 Detection\"\r\n strings:\r\n $xor ={8b 4d ?? 03 4d ?? 0f be 19 8b 55 ?? 52 e8 ?? ?? ?? ?? 83 c4 ?? 8b c8 8b 45 ?? 33 d2 f7 f1 8b 45 ?? 0\r\n $debug = {64 A1 30 00 00 00 80 78 02 00}\r\n$thread_func = {B8 01 00 00 00 85 ?? 74 ?? E8 ?? ?? ?? ?? 85 ?? 74 ?? 6A 00 FF ?? ?? ?? ?? ?? 6A ?? FF\r\n $api1 = \"LocalAlloc\" ascii\r\n $api2 = \"VirtualProtect\" ascii\r\n $api3 = \"SetFileTime\" ascii\r\n $api4 = \"LocalFileTimeToFileTime\" ascii\r\n $api5 = \"HeapFree\" ascii\r\n $api6 = \"VirtualFree\" ascii\r\n $api7 = \"VirtualAlloc\" ascii\r\n $s1 = \"DPAPI\" ascii\r\n $s2 = \"memset\" ascii\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 31 of 32\n\n$s3 = \"msvcrt.dll\" ascii\r\n $s4 = \"_mbsnbcpy\" ascii\r\n $s5 = \"_mbsstr\" ascii\r\n condition:\r\n uint16(0) == 0x5A4D and 2 of($api*) and 3 of($s*) and $debug and $xor and $thread_func\r\n}\r\nConclusionPermalink\r\nThe last sample of mars i saw came packed with custom packer , easy to unpack with x32dbg by just setting a\r\nbreakpoint on VirtualAlloc() , nothing else was changed except for the C2 .\r\nReferencesPermalink\r\nGreat analysis of the previous version https://3xp0rt.com/posts/mars-stealer\r\nhttps://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf\r\nSource: https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nhttps://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html\r\nPage 32 of 32", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html" ], "report_names": [ "MarsStealer.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434118, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2bd881edb60dd9fdeb4bc6ff92caf0e4f8edb569.pdf", "text": "https://archive.orkl.eu/2bd881edb60dd9fdeb4bc6ff92caf0e4f8edb569.txt", "img": "https://archive.orkl.eu/2bd881edb60dd9fdeb4bc6ff92caf0e4f8edb569.jpg" } }