{ "id": "3c64683d-29fd-4149-af01-e44b4cb64f40", "created_at": "2026-04-06T00:21:53.069969Z", "updated_at": "2026-04-10T03:28:46.924107Z", "deleted_at": null, "sha1_hash": "483cd49b0e16f33da17f5d4e0f23b9f3d23945d8", "title": "Mars, a red-hot information stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4148325, "plain_text": "Mars, a red-hot information stealer\r\nBy Pierre Le Bourhis,\u0026nbsp;Quentin Bourgue\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-04-07 · Archived: 2026-04-05 22:55:47 UTC\r\nlang: en_US\r\nTable of contents\r\nWhy investigate the Mars Stealer malware?\r\nA journey with the malware developers\r\nMars Stealer capabilities\r\nHigh-quality service for malware operators\r\nUnderground forum presence\r\nHow to collect Mars Stealer IoCs?\r\nCollecting Mars Stealer samples \r\nEarly versions\r\nLLCPPC versions\r\nLatest version (version 8)\r\nTracking Mars Stealer C2 servers\r\nMars Stealer objective C2\r\nMars Stealer main functionalities\r\nString loading\r\nA new section entered the ring\r\nLLCPPC with RC4 encryption\r\nLLCPPC with embedded data\r\nResources\r\nExternal references\r\nMars Stealer is an information stealer sold on underground forums by MarsTeam since June 22, 2021, with the\r\nmalware-as-a-service model. The malware capabilities are those of a classic stealer with a focus on cryptocurrency\r\ntheft. As a quick summary, Mars Stealer is able to:\r\ncollect data from several browsers (passwords, cookies, credit cards, etc.);\r\nsteal credentials from crypto plugins, crypto wallets and 2FA plugins;\r\ngrab files;\r\nfingerprint the infected host.\r\nIt shares code with other information stealers including Arkei, Oski and Vidar. \r\nGiven its interesting functionalities, its ease of use and reasonable price, the Mars Stealer malware has become\r\npopular on several underground forums. Moreover, the presumed developers regularly release new versions of the\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 1 of 27\n\nmalware to fix some bugs and especially to improve the Mars Stealer capabilities in terms of data collection and\r\ndefense evasion.\r\nMars Stealer has been recently brought to light by 3xp0rt’s in-depth analysis1 and the release of a cracked version.\r\nIn the blog post, 3xp0rt wrote an analysis of a Mars Stealer sample of an early version by exposing the different\r\nobfuscation methods and the data targeted by the malware on the infected hosts. A few days later, some members\r\nof the infosec community shared their findings on the builder and the administration panel of the information\r\nstealer. In recent days, some campaigns distributing Mars Stealer have been publicly described2 3.\r\nSEKOIA.IO analysts have been monitoring the threat on underground forums to be up-to-date on the latest\r\ndevelopments. We have also recently carried out an in-depth analysis of samples of different versions of Mars\r\nStealer, and noticed many changes in the obfuscation techniques.\r\nWhy investigate the Mars Stealer malware?\r\nInformation stealers are a threat to be considered, as many threat actors are using them to harvest credentials and\r\nother personal information. The stolen data can then be sold on underground forums and then possibly leveraged\r\nin “Big Game Hunting” operations, as the Lapsus$ threat group does4.\r\nAmong these information stealers, Mars Stealer has become an emerging threat in recent months.\r\nFirst of all, the malware is widely advertised on numerous underground forums and the publications reach a large\r\naudience. Furthermore, users of Mars Stealer usually give good feedback and do not hesitate to recommend it\r\nwhen forum members are looking for an information stealer. The Mars Stealer malware therefore appeared in our\r\nDark Web monitoring during the second half of 2021. \r\nFigure 1. Positive feedback on the Mars Stealer software and service on the XSS forum\r\nFigure 2. Users’ comments advising Mars Stealer on the XSS publication named “Raccoon or Mars Stealer”\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 2 of 27\n\nDynamic of ransomware activity in Q1 2022\r\nIt is worth noting that Mars Stealer is under continuous development and the project is professionally maintained,\r\nwhich makes it attractive and trustworthy to potential clients. Indeed, the presumed developers (MarsTeam)\r\nregularly collect user feedback on posts on the underground forums, on the Telegram support channel or on\r\nJabber. MarsTeam then takes this feedback into account to make improvements, new features or bug fixes. New\r\nversions are regularly released and accompanied by a changelog to list the notable changes made to the Mars\r\nStealer agent and also the panel.\r\nFigure 3. Changelog of the Mars Stealer version 8 published on the XSS forum\r\nFurthermore, the malware appeared in OSINT reports in early 2022, especially with the great 3xp0rt’s in-depth\r\nanalysis. Since then, its occurrence has increased in the infosec community because of the publication of its\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 3 of 27\n\nbuilder and above all, some campaigns distributing Mars Stealer have been brought to light in the Cyber Threat\r\nIntelligence sphere.\r\nLast, the abrupt shutdown of Raccoon Stealer operations, which is one of the most widespread stealers, leaves a\r\nsignificant part of the market for the information stealers. Indeed, on March 25, 2022, the profile raccoonstealer\r\nannounced on the Russian-speaking underground forum XSS that the group operating Raccoon Stealer closed the\r\nproject for an undetermined period of time. This unexpected shutdown is due to the loss of a developer of the\r\nproject Raccoon Stealer during the “special operation”, in reference to the Russian war in Ukraine.\r\nFigure 4. Raccoonstealer’s statement on the shutdown of the Raccoon Stealer project on the XSS forum\r\nA publication of MarsTeam on the XSS forum fully confirmed this hypothesis. On March 24, 2022, MarsTeam\r\nresponded to two potential clients:\r\n“Guys, deal with the message backlog, will reply to all within 24 hours. A lot of people came from Raccoon. We do\r\nnot have time to process all messages physically.“” (translated from Russian)\r\nFigure 5. MarsTeam mentioning a wave of clients coming from Raccoon on the XSS forum\r\nFor all of the above reasons it seems relevant to us to monitor the Mars Stealer threat, to stay-up-to-date on the\r\ndevelopment of the malware and to track Indicators of Compromise (IoCs) to detect Mars Stealer. These two\r\npoints are the subject of the next parts.\r\nA journey with the malware developers\r\nIn this part, we analyze the publications and the activities of the presumed Mars Stealer developers (MarsTeam)\r\non underground forums. According to our Dark Web monitoring, MarsTeam is active on numerous underground\r\nforums including XSS.is, lolz.guru and bhf.io. However, we focus on the XSS forum as MarsTeam publishes first,\r\nand more frequently on this one.\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 4 of 27\n\nOn May 21, 2021, the Mars Stealer team joined the XSS underground forum under the name MarsTeam with a\r\ndeposit of 0.009 Bitcoin ($336 at May 2021 exchange rate). One month later, MarsTeam opened a new discussion\r\nwhose title translated from Russian is “Mars Stealer – a native, non-resident stealer with loader and stealer\r\nfunctionality”.\r\nFigure 6. First publication of MarsTeam advertising Mars Stealer\r\nThe publication introduces Mars Stealer as “a new software developed for people working with crypto” – to be\r\ninterpreted: for people who want to steal cryptocurrencies. The malware is sold with the malware-as-a-service\r\nmodel for $140 per month.\r\nMars Stealer capabilities\r\nAs mentioned in the introduction, the Mars Stealer capabilities advertised by MarsTeam are those of a classic\r\ninformation stealer with a specific focus on cryptocurrency theft. Our technical analysis of Mars Stealer confirmed\r\nthat the applications targeted by the malware samples are those described in the MarsTeam publications.\r\nThe stealer collects personal information from numerous browsers: passwords, cookies, credit cards, autofill data,\r\nhistory of websites visited and files downloaded. The list of supported browsers is quite wide, from the most\r\npopular (Google Chrome, Internet Explorer, Microsoft Edge, Firefox, etc.) to the less common. Mars Stealer\r\ncollects this data in the default path of the different browser user data, or browser profiles.\r\nThe theft of cryptocurrencies is one of its distinguishing features, MarsTeam specifies that: “Important feature that\r\nmakes us stand out from competitors is the collection of browser plugins with an emphasis on cryptocurrency and\r\n2FA plugins” (translated from Russian). Indeed, the list of targeted crypto plugins is very long with more than 40\r\nreferences, including the most used (Coinbase, MetaMask, Binance). The same goes for the list of crypto wallets\r\nand 2FA plugins targeted by the information stealer.\r\nThe malware also fingerprints the infected host to collect information about hardware, installed software and other\r\npersonal information. Mars Stealer collects these data using WinAPI calls such as GetSystemInfo,\r\nGetCurrentProcess or by requesting the Windows Registry keys such as\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 5 of 27\n\nHARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0,\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall.\r\nLast but not least, Mars Stealer acts as a file grabber which is easily customizable by the operator. MarsTeam\r\ndescribes it as “a powerful feature” as the start path, file extension, file size and the recursive search can be set up.\r\nIt also captures a screenshot of the victim’s desktop, loads files on the infected machine and executes them with\r\narguments.\r\nHigh-quality service for malware operators\r\nIn addition to the stealing agent, Mars Stealer is sold with the administration panel and customer support. It is\r\nworth noting that the malware operator must host the Command \u0026 Control (C2) server and associated panel on its\r\nown server to access the stolen data. MarsTeam insists on the fact that all the traffic is available only for the\r\ncustomer and does not pass through a server of the Mars Stealer developers. This functionality is often requested\r\nby information stealer users who want to control and own all the data.\r\nIn the first MarsTeam’s publication, the Mars Stealer administration panel is described as “a powerful data search\r\nfunctionality” and the user experience seems to be a priority in the development of Mars Stealer. MarsTeam\r\ndescribes multiple capabilities of the panel on which the operator can easily manage, sort, filter, and remove the\r\nlogs.\r\nMoreover, the purchase of Mars Stealer includes a high-quality service including the support of all issues, the\r\naccess to the customer chat and the new releases of the malware.\r\nAll the malware capabilities accompanied by a user-friendly interface and quality support make Mars Stealer very\r\nattractive and popular to attackers on underground markets.\r\nUnderground forum presence\r\nThe responsiveness of the Mars Stealer team on the underground forums sends a positive message to potential\r\ncustomers. MarsTeam is not only responsive to user requests, but also very active on several underground forums.\r\nSince the first communication on Mars Stealer in June 2021, MarsTeam has regularly published changelogs to\r\nannounce new malware releases, as shown by the following figure. Special offers or teasing new features are also\r\nthe subject of many of MarsTeam‘s posts.\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 6 of 27\n\nFigure 7. Timeline of MarsTeam’s major publications on the XSS forum\r\nLet us consider the releases of new Mars Stealer versions on the XSS forum. Most of these changelogs include\r\nnew features, improvements, or bug fixes both on the agent and the administration panel. We noticed that the early\r\nversions did not have a version number. The official versioning started with version 4 released on August 21,\r\n2021, so we approximately associated the first versions to MarsTeam’s early changelogs. Most of them are divided\r\ninto two sections: on the software and the administration panel.\r\nSoftware improvements are focused on the coverage of targeted applications by adding new browsers or new\r\ncrypto plugins, as well as the upgrade of defense evasion techniques. For example, version 7 introduced the\r\nsupport of the Google Beta browser and numerous crypto plugins, which increased the number of collectable\r\ncrypto plugins to 101. Version 6 brings new evasion methods for VM and antiviruses.\r\nImprovements achieved on the web administration panel aim to facilitate the user experience by giving new\r\npossibilities of sorting, filtering and searching for stolen data. The Mars Stealer developer also optimized the\r\nperformance related to the SQL database.\r\nThe analysis of the MarsTeam’s publications on different underground forums shows that the presumed Mars\r\nStealer professionally works on software development, but also on communication and support. This\r\nconscientiousness seems to seduce the attackers who want to buy and use an information stealer well maintained\r\nand in continuous enhancement.\r\nHow to collect Mars Stealer IoCs?\r\nIn the previous part, we showed how Mars Stealer has become an emerging threat and why we must be interested\r\nin it. In this part we see how to collect Mars Stealer IoCs based on YARA signatures, C2 server tracker and the\r\nautomated extraction of the malware configuration. The last method requires a technical analysis of Mars Stealer\r\nand its versions which implement different obfuscation techniques. This in-depth analysis is the subject of the part\r\nnamed Mars Stealer objective C2.\r\nCollecting Mars Stealer samples \r\nEarly versions\r\nBefore analyzing the different versions of the Mars Stealer malware, a first step consists of collecting the malware\r\nsamples. We have therefore written a YARA rule based on the sample shared in the 3xp0rt analysis to identify\r\nother Mars Stealer samples.\r\nA reliable method to detect samples of a malware family consists in searching for operation code (opcode)\r\npatterns used in the deobfuscation routine. In the early versions, the malware implemented a deobfuscation\r\nfunction which first decodes base64-encoded strings and then decrypts RC4-encrypted strings. This algorithm is\r\napplied on numerous obfuscated strings as shown in the following figure, which corresponds to the function\r\nloading obfuscated strings.\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 7 of 27\n\nFigure 8. Function loading obfuscated strings in a Mars Stealer early version sample\r\nFour instructions are repeated for each obfuscated data: push, call, add and mov. A YARA rule identifying this\r\nversion of Mars Stealer can be written based on the repetition of these opcodes. Adding to the detection pattern\r\nsome specific strings can fine-tune the rule in order to identify only Mars Stealer binaries. Here is a possible\r\nYARA rule to find Mars Stealer samples:\r\nrule infostealer_win_mars_stealer_early_version {\r\n meta:\r\n description = \"Identifies samples of Mars Stealer early version based on opcodes of the function loading\r\n source = \"SEKOIA.IO\"\r\n reference = \"https://blog.sekoia.io/mars-a-red-hot-information-stealer/\"\r\n classification = \"TLP:WHITE\"\r\n hash = \"7da3029263bfbb0699119a715ce22a3941cf8100428fd43c9e1e46bf436ca687\"\r\n strings:\r\n $dec = {a3 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? 00 00 83 c4 ??}\r\n $api00 = \"LoadLibrary\" ascii\r\n $api01 = \"GetProcAddress\" ascii\r\n $api02 = \"ExitProcess\" ascii\r\n $api03 = \"advapi32.dll\" ascii\r\n $api04 = \"crypt32.dll\" ascii\r\n $api05 = \"GetTickCount\" ascii\r\n $api06 = \"Sleep\" ascii\r\n $api07 = \"GetUserDefaultLangID\" ascii\r\n $api08 = \"CreateMutex\" ascii\r\n $api09 = \"GetLastError\" ascii\r\n $api10 = \"HeapAlloc\" ascii\r\n $api11 = \"GetProcessHeap\" ascii\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 8 of 27\n\n$api12 = \"GetComputerName\" ascii\r\n $api13 = \"VirtualProtect\" ascii\r\n $api14 = \"GetUserName\" ascii\r\n $api15 = \"CryptStringToBinary\" ascii\r\n $str0 = \"JohnDoe\" ascii\r\n condition:\r\n uint16(0)==0x5A4D and\r\n #dec \u003e 400 and 12 of ($api*) and $str0\r\n}\r\nFigure 9. YARA rule identifying Mars Stealer early version samples\r\nWe shared the rule on sample sharing platforms and collected several results from this YARA rule. As expected\r\nfrom our Dark Web monitoring, we observed different Mars Stealer versions based on their deobfuscation routine\r\namong our collected samples. We also noticed several samples for which a new PE section name appeared:\r\nLLCPPC. More details on the different versions can be found in the following technical analysis.\r\nLLCPPC versions\r\nThe PE section name LLCPPC is a highly discriminating factor of the Mars Stealer malware. We can therefore\r\neasily identify Mars Stealer samples using this characteristic in a YARA rule using the PE module:\r\nimport \"pe\"\r\nrule infostealer_win_mars_stealer_llcppc {\r\n meta:\r\n description = \"Identifies samples of Mars Stealer based on the PE section name LLCPPC.\"\r\n source = \"SEKOIA.IO\"\r\n reference = \"https://blog.sekoia.io/mars-a-red-hot-information-stealer/\"\r\n classification = \"TLP:WHITE\"\r\n hash = \"fd92fe8a4534bc6e14e177fee38a13f771a091fa6c7171fcee2791c58fbecf40\"\r\n condition:\r\n uint16(0)==0x5A4D and\r\n for any i in ( 0..pe.number_of_sections-1 ): (\r\n pe.sections[i].name == \"LLCPPC\" and pe.sections[i].raw_data_size \u003c 5000 )\r\n}\r\nFigure 10. YARA rule identifying Mars Stealer samples based on the PE section name\r\nFor information, LLCPPC is a profile on the underground forum lolz.guru that reverses engineer some popular\r\nmalware (Redline, Mars Stealer, DCRat, X-FILES and SHurkSteal) in order to debunk the misleading information\r\nused to advertise the product.\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 9 of 27\n\nThe developer of Mars Stealer probably named the PE section of the malware to rag LLCPPC after the analysis of\r\nthe malware which revealed untruths in the malware’s advertisement. On August 24, 2021, LLCPPC published a\r\ntechnical analysis of a Mars Stealer sample with the title “Mars Stealer is the worst stealer | How the shit coder\r\ncheats on you”.\r\nFigure 11. LLCPPC’s publication debunking a Mars Stealer sample on the lolz.guru forum\r\nIn this analysis, LLCPPC concludes that only encryption and the secure import address table are the pros of Mars\r\nStealer while the list of cons is much longer. Among them, LLCPPC raised the non-optimized code, the lack of\r\ndebugging and virtualization evasion, the absence of multithreading, etc. As shown by the previous figure,\r\nLLCPPC also mentioned that the Mars Stealer sample is well detected by VirusTotal and Any.Run analysis, unlike\r\nMarsTeam stated.\r\nLatest version (version 8)\r\nThe LLCPPC section disappeared in the latest version of Mars Stealer, which corresponds to version 8 according\r\nto the MarsTeam releases on XSS. Indeed, samples of the latest Mars Stealer version only send one request to\r\nretrieve the DLLs (freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll, sqlite3.dll and vcruntime140.dll).\r\nThese files are linked to legitimate third-party DLLs allowing Mars Stealer to collect data from the infected host.\r\nAs written by MarsTeam in the version 8 release notes “now the software makes one request after the request file,\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 10 of 27\n\nwhich contains all necessary libraries for correct work of the software” (translated from Russian), it therefore\r\ncorresponds to version 8 samples.\r\nCommunication with the C2 server is performed over HTTP, and since version 6, the stealer can use HTTPS.\r\nFigure 12: HTTP communication with the C2 server\r\n1. Implant sends a GET request to the C2 URL to grab its configuration.\r\n2. Implant fetches all DLLs on the “/request” endpoint, the libraries are zipped (c.f. figure 13).\r\n3. Stolen data are posted to the C2 on the same URL used in step (1).\r\nFigure 13: HTTP response on /request that contains all DLLs zipped\r\nTo identify and collect these samples, we can again write a YARA rule based on the string deobfuscation routine\r\nsince the discriminating section name is no longer used. From our technical analysis, we identify the\r\ndeobfuscation routine based on XOR keys, which is further detailed in the “Mars Stealer objective C2” section.\r\nThe algorithm consists in xoring each obfuscated string and its corresponding key.\r\nOur resulting YARA rule is:\r\nrule infostealer_win_mars_stealer_xor_routine {\r\n meta:\r\n description = \"Identifies samples of Mars Stealer based on the XOR deobfuscation routine.\"\r\n source = \"SEKOIA.IO\"\r\n reference = \"https://blog.sekoia.io/mars-a-red-hot-information-stealer/\"\r\n classification = \"TLP:WHITE\"\r\n hash = \"4bcff4386ce8fadce358ef0dbe90f8d5aa7b4c7aec93fca2e605ca2cbc52218b\"\r\n strings:\r\n $xor = {8b 4d ?? 03 4d ?? 0f be 19 8b 55 ?? 52 e8 ?? ?? ?? ?? 83 c4 ?? 8b c8 8b 45 ?? 33 d2 f7 f1 8b 45\r\n condition:\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 11 of 27\n\nuint16(0)==0x5A4D and $xor\r\n}\r\nFigure 14. YARA rule identifying the XOR routine implemented by Mars Stealer\r\nTo conclude this section, we would like to mention another rather classical but very efficient method to collect and\r\nclassify the malware samples based on the PE creation time. Indeed, many unpacked Mars Stealer samples share\r\nidentical PE creation dates, making them easy to identify on sample sharing platforms: “2021-08-12T17:45:33”\r\nand “2022-01-05T14:09:08”.\r\nThe Command \u0026 Control infrastructures of cyber attackers observed in 2021 by SEKOIA.IO\r\nTracking Mars Stealer C2 servers\r\nTracking servers used to host malware C2 servers or more widely adversary infrastructures is a proactive hunting\r\napproach we have intensively developed at SEKOIA.IO5. Concerning the Mars Stealer malware, C2 servers are\r\nhosted by the attackers and not by the malware developer. This makes it more difficult or even impossible to\r\nidentify a heuristic based on the HTTP response to find the malware C2 servers, as each attacker should configure\r\nits own HTTP server hosting the Mars Stealer administration panel.\r\nHowever, a good and simple method to track the widely sold malware consists in finding servers hosting one of\r\nthe characteristic web pages of the administration panel. By searching the hash of these specific web pages\r\n(JavaScript, PHP or HTML pages) on URL scanning platforms, we can identify the servers used by the malware to\r\ndownload payloads and exfiltrate the stolen information.\r\nConcerning the Mars Stealer administration panel, we can track several pages which are specific to the malware\r\npanel. For example:\r\nd8f09307b60c5bef5ceacfd8501bd3d91f1de9e5e746bb2d7def94d86789da50 and\r\n304288329069ad8eaafce0f10a369101607c9248fbc9aaaa733c9e2dab5c467f are specific to the Mars\r\nStealer PHP login pages (login.php). The first hash corresponds to the login page of the version 8 of Mars\r\nStealer, while the second corresponds to the login page of the version 7 and below. We were able to\r\nconfirm these results from the leaked source code of the administration panel.\r\n20e6bb3cf9d13f10bca7b7b5d1f4cb82146c274747e8c2ae7fe3307881f00829 is specific to a CSS page used\r\nby the Mars Stealer login page (bootstrap.min.css).\r\nFigure 15. Login page of the Mars Stealer administration panel\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 12 of 27\n\nFrom this information, we can write a heuristic on urlscan.io6\r\n (or other similar services) like:\r\nhash:(20e6bb3cf9d13f10bca7b7b5d1f4cb82146c274747e8c2ae7fe3307881f00829 OR 304288329069ad8eaafce0f10a3\r\nOn April 7, 2022, this query resulted in 43 URLs which hosted a Mars Stealer administration panel.\r\nFigure 16. Urlscan.io results on the heuristic identifying Mars Stealer login pages\r\nThis method is based on URL submissions and, unfortunately, is not as proactive as heuristics based on the HTTP\r\nresponse. But it has the merit of collecting network IoCs (domain names or IP addresses) over time. Moreover, the\r\nwebpages of the malware administration panel rarely changes, unlike the source code of the agent. It is therefore a\r\ngood way to track a malware family over time and then pivot to new samples that might not be detected by our\r\nYARA rules.\r\nAnother way of tracking Mars Stealer C2 servers is to pivot on the file request\r\n(3de1fb0d1108907fd61d6d6b9a4c6b856af509e0af35578f158cfce5d634fe07) which is the archive containing the\r\nlegitimate DLLs. All Mars Stealer samples of version 8 request this resource. For example, on VirusTotal, some\r\nC2 servers can be identified hosting the zip file and samples requesting it.\r\nIn conclusion, we are tracking the Mars Stealer threat by different means which allows us to collect network and\r\nsystem IoCs. Another technique we used to collect Mars Stealer C2 URLs consists of extracting them from the\r\nsamples. The next part is focused on our in-depth analysis of several Mars Stealer versions, which allowed us to\r\nimplement a configuration extractor.\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 13 of 27\n\nMars Stealer objective C2\r\nAn in-depth analysis of this malware has been done by 3xp0rt, the article describes how the strings are loaded, the\r\nchecks performed against the infected hosts (languages, anti-emulation, e.g.: John Doe \u0026 HALT9), the cookies\r\nand crypto wallets extraction, the C2 exfiltration and configuration grabbing. In our context, the analysis here is\r\nfocused on the Command and Control configuration moreover, on how to automatically extract it. To answer this\r\nneed, an analysis of the different versions of the malware and on how the C2 URL is deobfuscated and loaded in\r\nPE is required. From this analysis, we tried to identify the Mars Stealer releases based on the MarsTeam\r\npublications on XSS forum.\r\nMars Stealer main functionalities\r\nThe figure below briefly introduces what Mars Stealer core function looks like (for more details checks 3xp0rt in-depth analysis1\r\n), its main function could be split in 8 units described below:\r\n1. Load static string: this function prepares the malware to load further libraries and functions and setup the\r\ndecryption key;\r\n2. Link basic function to setup malware functionalities for step 3 to 4 includes;\r\n3. Anti-debugging / Anti-emulation:\r\n1. Check time \r\n2. Check Windows Defender sandbox\r\n4. Decrypt all strings: this includes other libraries’ function name, strings used by the stealer (e.g. SQL\r\nrequests for cookies extraction);\r\n5. Load all required functions and libraries (sqlite3.dll, freebl3.dll, mozglue.dll, etc…);\r\n6. Steal cookies, crypto wallet, password, etc…;\r\n7. Exfiltration stolen data over HTTP to its C2;\r\n8. Removed itself via a ShellExecuteExA (C:\\Windows\\System32\\cmd.exe /c timeout /t 5 \u0026 del /f\r\n/q \"%s\" \u0026 exit).\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 14 of 27\n\nFigure 17. Mars Stealer core function\r\nSIGMA, design and MITRE ATT\u0026CK… new features of the XDR and CTI platform\r\nThis article focuses on differences observed through the different Mars Stealer samples we have collected. As\r\nmentioned previously in the analysis of publications on underground forums, MarsTeam tries to improve its\r\nproduct with each release (bug fix, some obfuscation \u0026 new functionalities). Release advertisements on the XSS\r\nforum might not match what has been identified as a version in this article. The version identification process is\r\nbased on how the malware stores and deobfuscates its C2, which could lead to version overlap of the announced\r\nversions by MarsTeam and our work. \r\nThe next section describes the first and older technique used by Mars Stealer to load its C2, which involved\r\nretrieving the RC4 key and spotting the position of the Command and Control in the PE.\r\nString loading\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 15 of 27\n\nOne of the first functions of the malware aims to load a small set of strings, which are used a bit later with the two\r\nknown functions of Kernel32.dll: LoadLibrary and GetProcAddress. These two functions are used for further\r\nfunctions and library loading. In this same function (load_string), the first string loaded is twenty bytes long,\r\nwhich appears to be the key used to decrypt (RC4) strings of the malware.\r\nThose obfuscated strings are stored in the .data section in this given format: encrypted string with RC4 (Rivest\r\nCipher 4)7 algorithm stored in base64. Figure below shows how the RC4 key is loaded.\r\nFigure 18. RC4 key loading\r\nFor example, for the following string: “K3vgIP3rMlysQNU=“:\r\n1. The base64-decoded string is 2b7be020fdeb325cac40d5.\r\n2. The RC4-decrypted string with the key 85297062256884302049 is “MachineGuid”.\r\nRC4 key retrieving is the first step to get the C2 in clear text. Then, finding the offset of the string that contains the\r\nC2 is the objective. This strings are the third and the fourth string loaded and decrypted in the function\r\ndecrypt_string. \r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 16 of 27\n\nFigure 19. Offset of C2 encoded in base64 and encrypted with RC4 (addresses: 0x4131f4 and 0x413210)\r\nIn one of the most recent releases, a new section was created by the Mars Stealer authors. The C2 location is now\r\nat an offset defined in the LLCPPC code, c.f. figure 20. This version and its upgrade are analyzed in depth in the\r\nnext three sections.\r\nA new section entered the ring\r\nAs introduced in the section “Collecting Mars Stealer samples”, a new section with the singular name LLCPPC\r\nhas been introduced in the Mars Stealer PE structure.\r\nThe structure of this section has evolved during the different releases. First of all, this section was composed of\r\none segment that contains code used by the malware, and then authors add data, sometimes in clear text or\r\nobfuscated.\r\nThe new section of malware has the given structure:\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 17 of 27\n\nFigure 20. LLCPPC section structure\r\nIn the previous LLCPPC section structure, the C2 URL is in clear text, that means it is not obfuscated and the\r\nXOR key is not used. However, in most samples, the C2 URL is obfuscated with the XOR key.\r\nThree different versions of this section have been observed during our investigation. The first version of this\r\nsection is the one using RC4 encryption on the C2 located in the data section, then in next version malware\r\ndevelopers append at the bottom of the section the C2 and change the obfuscation method. Data can be obfuscated\r\nwith XOR operation or can be stored in clear text.\r\nLLCPPC with RC4 encryption\r\nThe simplest version of the LLCPPC section only contains code. The code is in charge of loading the obfuscated\r\nstring from a specific offset and calling the deobfuscation function (e.g. base64 decode plus RC4 decryption).\r\nFigure 21. IDA decompilation of the function “decrypt_string” that calls a function in LLCPPC section to load\r\nthe C2\r\nMalware developers had replaced the C2 decryption (see figure 21) by a call to the function located at the\r\nbeginning of the LLCPPC section, oddly followed by multiple NOP operations.\r\nThe calling function of the LLCPPC section is the following one:\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 18 of 27\n\nFigure 22. IDA decompilation of the C2 loading before its decryption (RC4)\r\n1. The call edx is a call to the kernel32.dll function GetModuleHandleA used to return the handle to the file\r\nthat is loaded, where the request module here is 0, this is a trick to return the base address of the PE.\r\n2. From this address an offset is computed (different in each Mars Stealer sample): lea eax, [edi + 0x16d40],\r\nedi which holds the base address of the PE.\r\n3. Then, a call esi is performed, register esi contains the address of the function that decodes base64 and\r\ndecrypts RC4. This function is located in the .text section and is used to decrypt other strings of the\r\nmalware. This is the same function that is called multiple times by decrypt_string.\r\n4. Finally, the decoded and decrypted string is then stored at a specific location with mov dword [edi +\r\n0x177b0], eax; the edi register still contains the base address of the PE.\r\nFigure 23. IDA decompilation of the C2 bozkurtoot[.]dev loading after its decryption (RC4)\r\nThe deobfuscation process is called twice, once for the C2 IP address or domain name and for the URL path as\r\nhighlighted in the figure above.\r\nLLCPPC with embedded data\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 19 of 27\n\nAs mentioned previously, some versions of this section embed data, those data appear to be the C2 (IP address or\r\ndomain name) plus its URL path. \r\nFrom now two variants exist, one with the C2 in clear text (c.f. figure 24) and a variant where the C2 is xored (c.f.\r\nfigure 25):\r\nFigure 24. Radare2 dump of LLCPPC section with C2 in clear text\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 20 of 27\n\nFigure 25. Radare2 dump of LLCPPC section with C2 obfuscated\r\nA dynamic analysis helps to identify how the C2 was obfuscated and where its obfuscation key was stored.  \r\nThe deobfuscation function (c.f. figure 27) determines the string length, then loads the C2 and xor key from a\r\nknown offset located in the LLCPPC section to finally call the function that unxors data. Besides, this function is\r\nlocated in the .text section and is also used for other strings deobfuscation.\r\nIn fact, the obfuscated C2 could be read in clear text with the short following Python snippet of code:\r\ndef unxor(string: iterable, key: iterable) -\u003e str:\r\n \"\"\"Method to unxor obfuscated data from llcppc section\"\"\"\r\n unxored = \"\"\r\n for c1, c2 in zip(key, string):\r\n unxored += chr(c1 ^ c2)\r\n return unxored\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 21 of 27\n\nFigure 26. Function deobfuscating data from LLCPPC section\r\nThe function responsible for the string unxor data is the following one:\r\nFigure 27. IDA decompilation of function responsible to unxor string\r\nAs observed while computing analysis on multiple samples using XOR obfuscation and data stored in the\r\nLLCPPC section (c.f. figure 20). The obfuscated C2 target, C2 URL path and XOR key are located at the same\r\nposition for each sample of this version; this indicates a static assignment of the location by the authors.\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 22 of 27\n\nC2 target offset is: LLCPPC base address + 0x200.\r\nC2 target clear text is in the .data section: 0x41A800.\r\nC2 URL path offset is: LLCPPC base address + 0x280.\r\nC2 URL path clear text is in .data section: 0x41A2A0.\r\nXOR key for C2 target and C2 URL path is: LLCPPC base address + 0x300.\r\nThe mechanism described in the above section to get the C2 might be assigned to version 4 and above. A new\r\nvariant then came with virtual machines and environment analysis detection.\r\nLLCPPC Anti VM mechanism\r\nThe Mars Stealer team has updated its C2 loading; some anti-VM checks have been introduced in a new version.\r\nAs shown by the figure below, the malware loops over the running process looking for particular process names.\r\nThis version checks if a process contains VBOX or if a process is named q.exe which is a the Sysinternal tool:\r\nRootkit detection utility8. In case none of the suspicious processes is identified, the malware allocated a virtual\r\nmemory space for the Mars Stealer core function (c.f. figure 17) and then execute it (c.f. figure 28, “jmp eax”).\r\nFigure 28. Anti-VM mechanism\r\nThe C2 loading method for this version does not differ that much from other LLCPPC versions. Indeed, after the\r\nvirtual memory allocation of Mars Stealer core function followed by the jump into this new allocated memory\r\narea, the code of Mars Stealer remains the same as the one described in the “Mars Stealer capabilities” section.\r\nHowever, from a scripting point of view it will be required to look a step further to find out the “OEP” (Original\r\nEntry Point).\r\nLLCPPC left the game: Mars Stealer V8\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 23 of 27\n\nAs explained previously in the section “Collecting Mars Stealer samples”, the last version has evolved, both the\r\nC2 server and the implant benefit from some upgrades. From the implant point of view, two major functionalities\r\nwere introduced:\r\n1. Downloaded DLLs are now grouped in a single ZIP file named and fetched from the “/request” URL.\r\n2. A new anti-analysis check is introduced.\r\nThe C2 is obfuscated using the same techniques as described in the section “LLCPPC with embedded data”, but\r\nfor this version, obfuscated data are located in the .rdata section. Moreover, each part of the C2, the IP address or\r\nthe domain name and the URL path, has their own XOR key. The structure of the code does not change regarding\r\nthe previous version with XOR obfuscation; the xored string is followed in the PE structure by its XOR key. \r\nFigure 29. Obfuscated C2 IP address followed by its XOR key\r\nThis simple version 8 of Mars Stealer does not represent the trend we observed during our tracking session,\r\nvarious samples identified as version 8 are packed with Themida9.\r\nAs mentioned in the past section, the samples retrieved from VirusTotal were identified with only two different\r\nRC4 keys: 8529706225688430204 and 86223203794583053453 with massive usage of the first one. We cannot\r\naffirm that one key is linked to a specific release, nor a selling batch, nor a threat actor (this hypothesis does not\r\nmake sense here, in a malware-as-a-service context).\r\nThe XOR key located at the end of the LLCPPC section is repeatedly present even if no obfuscation is applied on\r\nthe C2 (c.f. figure 24).\r\nSome older (below version 7) Mars Stealer samples came “packed” with a VMProtect layer, related hashes are: \r\na6cd1f6158ce5a16bd500218333e81fcb6ecd960da3cfa0c1b701a5cf9f98dec\r\n8ded24590c991f33438fe38f3ae10e91672369b1f029bf339a94d74c8645932a\r\naf503eb7e314b4a8acb2ef849fc7cea7f273fa9544b40904314b651859b66a17\r\nSEKOIA.IO interaction\r\nMalware C2 loading and deobfuscation have been analyzed in their different versions and the behavior of the\r\nmultiple versions are now identified. A FAME module10 to automatically extract Command and Control has been\r\ndeveloped. This module uses the Python library r2pipe11 to interact with the PE file.\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 24 of 27\n\nTwice a week, one of our workers of the SEKOIA Malware Watcher project pulls samples from VirusTotal that\r\nmatch our YARA rule mentioned in the “Collecting Mars Stealer samples” section and submits these samples to\r\nour FAME instance. C2 are extracted via FAME and finally pushed contextualized to SEKOIA.IO with the\r\nrelationship indicating the Mars Stealer malware.\r\nFigure 29. From VirusTotal to SEKOIA.IO with FAME\r\nThe FAME module will be release as Open Source on the SEKOIA.IO public Github repository named\r\nfame_module12. The extractor is available as standalone script13.\r\nFigure 30. Pushed IoCs in SEKOIA.IO from SEKOIA Malware Watcher\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 25 of 27\n\nExtracted IoCs can be found in the SEKOIA.IO Intelligence Center under the Mars Stealer malware object on the\r\nThreat Context tab and these IoCs are tagged with the source SEKOIA Malware Watcher.\r\nThanks for reading. You can also read our article on how to track and detect cobalt strike?\r\nResources\r\nIoCs: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/marsstealer/mars_stealer_iocs_20220407.csv\r\nYARA rules:\r\ninfostealer_win_mars_stealer_early_version: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/marsstealer/yara_rules/infostealer_marsstealer_early_version.yar\r\ninfostealer_win_mars_stealer_llcppc: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/marsstealer/yara_rules/infostealer_marsstealer_llcppc.yar\r\ninfostealer_win_mars_stealer_xor_routine: https://github.com/SEKOIA-IO/Community/blob/main/IOCs/marsstealer/infostealer_marsstealer_xor_routine.yar\r\nStandalone extraction script: https://github.com/SEKOIA-IO/Community/blob/main/scripts/mars_stealer_c2_extractor.py\r\nExternal references\r\n1\r\n 3xp0rt analysis of Mars Stealer, February 1, 2022\r\n2\r\n Exclusive Threat Research: Mars (Stealer) Attacks!, MorphisecLab, March 29, 2022\r\n3 Масове розповсюдження шкідливої програми MarsStealer серед громадян України та вітчизняних\r\nорганізацій, CERT UA, March 30, 2022\r\n4\r\n Lapsus$: when kiddies play in the big league, SEKOIA TDR, March 23, 2022\r\n5\r\n The Command \u0026 Control infrastructures of cyber attackers observed in 2021 by SEKOIA.IO, SEKOIA TDR,\r\nJanuary, 2022\r\n6\r\n URL Scan Mars Stealer Administration Panel Heuristic\r\n7\r\n RC4: Rivest Cipher 4, Wikipedia\r\n8\r\n Sysinternal tool: Rootkit detection utility, Microsoft\r\n9\r\n Themida Overview, Oreans Technologies\r\n10\r\n FAME Automates Malware Evaluation, CERT Société Générale \u0026 CERT SEKOIA\r\n11\r\n Python library r2pipe, Radare2\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 26 of 27\n\n12\r\n FAME module: Mars Stealer configuration extractor, SEKOIA TDR\r\n13\r\n Standalone script: Mars Stealer configuration extractor, SEKOIA TDR\r\nThank you for reading this article. You can also read our article on:\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nDiscover our:\r\nCTI platform\r\nXDR platform\r\nSOC platform\r\nTools for SOC analyst\r\nSIEM solution\r\nShare\r\nCTI Malware Reverse Tracker\r\nShare this post:\r\nSource: https://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nhttps://blog.sekoia.io/mars-a-red-hot-information-stealer/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.sekoia.io/mars-a-red-hot-information-stealer/" ], "report_names": [ "mars-a-red-hot-information-stealer" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434913, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/483cd49b0e16f33da17f5d4e0f23b9f3d23945d8.pdf", "text": "https://archive.orkl.eu/483cd49b0e16f33da17f5d4e0f23b9f3d23945d8.txt", "img": "https://archive.orkl.eu/483cd49b0e16f33da17f5d4e0f23b9f3d23945d8.jpg" } }