# eSentire Threat Intelligence Malware Analysis: Mars Stealer

**esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer**

Mars Stealer is an information-stealing malware that first appeared on hacking forums in June 2021, a year after its predecessor Oski Stealer
was discontinued in June 2020. Mars Stealer can target or ‘support’ over 50 crypto wallets and extensions, is multi-functional, and avoids
detection. In addition, it’s low price on the malware market has generated significant attention from threat actor(s) who are looking to add the
effective malware into their arsenal.

[eSentire's Threat Response Unit (TRU) team previously published a TRU Positive that focused on the cyber threat investigation summary of a](https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer)
singular incident and recommendations regarding Mars Stealer malware. However, this blogpost delves deeper into the technical details that
[were gathered during the research and analysis of the Mars Stealer TRU Positive.](https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer)

## Key Takeaways:

Mars Stealer is the latest version of Oski Stealer, which was discontinued in June 2020.
NetSupport RAT (Remote Access Tool), or client32.exe, was embedded in a ChromeSetup.exe file and used by an attacker to gain
access to a victim’s workstation for further deployment of tools needed to plant Mars Stealer.
An executable with the original filename 3uAirPlayer was used to deploy obfuscated AutoIt scripts with Mars Stealer embedded inside
and a renamed version of AutoIt to evade detections.
The persistence mechanism was created to make sure the attacker(s) maintain access to NetSupportManager as a backdoor.
Mars Stealer can self-delete itself after successfully exfiltrating the victim’s data, leaving no trace behind.

## Case Study

The first mention of Mars Stealer appeared on Russian-speaking forums in June 2021 and at the time, it was being sold for $140 a month
(Exhibit 1).


-----

_Exhibit 1: Advertisement on Mars Stealer_

Mars Stealer allegedly ‘supports’, or is capable of, harvesting data from common browsers, crypto wallets, and two-factor authentication (2FA)
and crypto extensions. Since the release of Mars Stealer, eSentire’s Threat Response Unit (TRU) team has observed a number of cracked
versions being distributed by a reverse engineer who goes under the username ‘LLCPPC’. The latest version is Mars Stealer v8 (Exhibit 2).

Exhibit 2: Mars Stealer v8 advertisement


-----

a s Stea e as bee de e ed as a d [e by do](https://blog.morphisec.com/threat-research-mars-stealer) oad a c o ed ebs tes o o so t a e, suc as Ope O ce e a a e s a so
[distributed as patching software and keygens on gaming forums. In the incident observed by eSentire, the stealer was delivered via the](https://cyberint.com/blog/research/mars-stealer/)
NetSupportManager RAT.

## Technical Analysis of Mars Stealer Infection

### Initial Access

The initial access vector occurred when the victim visited a malicious website hosting an ISO image named ChromeSetup.iso
(hxxps[:]//googleglstatupdt[.]com/LEND/ChromeSetup[.]iso).

The ISO image contained ChromeSetup.exe, which had an embedded NetSupportManager RAT and a Chrome Updater in a cabinet (CAB)
archive-file format (Exhibits 3-4).

_Exhibit 3: Cabinet section under RCData_

_Exhibit 4: Contents of the extracted CAB file_

The NetSupportManager RAT was obfuscated by the attacker as ‘21m_18_033.exe’. The RAT was installed in tandem when the victim opened
ChromeSetup.exe. Persistence was achieved by the RAT via a Startup LNK file through the following path:

c:\users\*\appdata\roaming\microsoft\windows\start menu\programs\startup\autorunings.ini.lnk

The LNK runs the RAT under C:\Users\*\AppData\Roaming\WinSupports\client32.exe after each reboot attempt.

It is worth noting that attacks involving RATs do not usually start with the full infection chain once the user executes the initial payload. The
attacker would need additional time to access the RAT and load additional payloads. In the incident we analyzed, the attacker’s movement in
the network can be observed in Exhibit 5.

_Exhibit 5: Infection chain_


-----

a p e e (o g a a e 3u aye e e) as used to p a t t e o o g uto t sc pts o t e ct s o stat o u de t e pat
C:\Users\*\AppData\Local\Temp\IXP001.TMP:

una.wmd
fervore.wmd
vai.wmd

The scripts were embedded within the CAB file of the executable (Exhibits 6-7)

_Exhibit 6: Cabinet section under RCData (aNpRAHx.exe)_

_Exhibit 7: Contents of the CAB file_

The AutoIt scripts were highly obfuscated. Within the aNpRAHx.exe resources, there was a POSTRUNPROGRAM section that contained the
following command:

**Esitanza.exe.pif: the renamed AutoIt program**
**una.wmd: the script responsible for dropping Esitanza.exe**
**vai.wmd: the core script that contains Mars Stealer, its dependencies, and the copy of a NTDLL.DLL file**

_Exhibit 8: Obfuscated Fervore.wmd script_

The post command execution was also responsible for running the following commands on the host:

find /I /N "bullguardcore.exe"
find /I /N "psuaservice.exe”


-----

dst / /
"^UzERaIroWGYHeuAyIPBJMSUyDIptkdLqzqzZHgBHJNQEeOwczSBTavTwnmhKnZWGVYgwNAnxhUZYefrOGNKzOSHWiaAoqRoKRlJtmq
Una.wmd
tasklist /FI "imagename eq BullGuardCore.exe”
tasklist /FI "imagename eq PSUAService.exe"

As indicated above, vai.wmd is the script responsible for loading additional dependencies as well as Mars Stealer. The value $ARZURr holds
the obfuscated Mars Stealer version (Exhibit 9). The RC4 key was derived from the following pattern:

Binary(MRPvnDnroX("58}59}59}63}61}63}60}60}58}59}62}63}57}57}58}64}56}63}57}63}57}63}57}61}60}57}60",7)))))

The pattern subtracts 7 from each character that is eventually converted to ASCII format. The RC4 key to decrypt the Mars Stealer is
“344868553478223918282826525”.

_Exhibit 9: The hex values of the obfuscated Mars Stealer_

After decrypting the binary (Exhibit 10), there appeared to be another layer of obfuscation added to the file that was decrypted during runtime.

_Exhibit 10: Decrypting the binary using CyberChef_


-----

t out a g to u y deob uscate t e uto t sc pt, e co e ted t e sc pt to a e ecutab e a d p oceeded t debugg g ( b t )
We were able to extract the deobfuscated Mars Stealer executable by leveraging the debugger. It should be noted that Mars Stealer is loading
its own copy of NTDLL.DLL and renames it (Exhibit 12). NTDLL.DLL is responsible for injecting Mars Stealer into explorer.exe module during
[the runtime (Exhibit 13-14). A similar technique was observed in Oasis Stealer and thoroughly described by a Malware Analyst, hasherezade.](https://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/)

[Endpoint Detection and Response (EDR) uses API hooking to monitor suspicious processes in real time. It is a common practice for EDR](https://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis)
solutions to hook the functions exported from NTDLL.DLL. The library does not rely on other DLL (Dynamic Link Library) dependencies. In
[addition, it is also responsible for exporting Native APIs that are often abused by malware developers. Moreover, in order to bypass the](https://en.wikipedia.org/wiki/Native_API)
detection by EDR tools, attacker(s) will independently load a copy of NTDLL.DLL (Exhibit 15).

_Exhibit 11: Credential stealing evidence from the debugger_

_Exhibit 12: Renamed copy of NTDLL.DLL (partially deobfuscated AutoIt script)_

Exhibit 13: Mars Stealer is being injected into explorer.exe (1)


-----

_Exhibit 14: Mars Stealer is being injected into explorer.exe (2)_

_Exhibit 15: Custom loaded NTDLL.DLL_

It is also worth noting that another executable was dropped via the remote session on the victim’s machine – consoleappmrss.exe. The
executable contained an embedded file named Installer_ovl.exe, which was written in C#.

The executable connected to the shortened URL (tiny[.]one), a Discord CDN to retrieve another file named
DebugViewPortable_4_90_Release_3_English_online_Auejpzlt.bmp (Exhibit 16).


-----

_Exhibit 16: The file reaches out to Discord CDN to download additional payloads_

At the time of the analysis, the link to the BMP file was not accessible. We believe that the attacker(s) tried to retrieve additional payloads, but
the attempt was unsuccessful.

### Mars Stealer and C2 Panel Analysis

The deobfuscated Mars Stealer was written in ASM/C and approximately 162KB in size. The compilation date was March 29, 2022, which
suggests that the attacker(s) modified the stealer right before shipping it onto the victim’s machine.

The stealer includes anti-debugging and anti-sandbox features:

[For anti-debugging purposes, it manually checks the PEB (Process Environment Block) for BeingDebugged flag.](https://docs.microsoft.com/en-us/windows/win32/api/winternl/ns-winternl-peb)
[For anti-sandboxing, the stealer sleeps for 16000 milliseconds (about 16 seconds) and calls GetTickCount API (Exhibit 17) to retrieve the](https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount)
number of milliseconds that have passed since the system was started and the number of milliseconds of the current running time.

Both values get subtracted and are compared to 12000 milliseconds (about 12 seconds).
If the value is less than 12000, it means that the Sleep function was skipped by the debugger or sandbox, and the sample exits
(Exhibit 18).

The sample also performs anti-emulation checks for Windows Defender Antivirus on values HAL9TH and JohnDoe (Exhibit 19).

_Exhibit 17: Using GetTickCount() for anti-debugging purposes_


-----

_Exhibit 18: If the sample is being debugged, the running process terminates_

_Exhibit 19: Windows Defender Antivirus anti-emulation checks_

Mars Stealer will exit if the following languages are detected (Exhibit 20):

Uzbekistan
Azerbaijan
Kazakhstan
Russia
Belarus

_Exhibit 20: Language check using GetUserDefaultUILanguage function_

The language checks are also performed within the Mars Stealer panel (Exhibit 21).


-----

_Exhibit 21: Language check in PHP component_

The strings in .RDATA section are XOR’ed (XOR or "exclusive or" is a logical operator that yields true if exactly one (not both) of two conditions
is true) with different keys as shown in Exhibit 22. The first batch of decrypted strings are mostly API calls (Exhibit 23).

_Exhibit 22: XOR-encoding routine_

_Exhibit 23: Decrypted strings (1)_

From another batch of decrypted strings, we can observe the following (Exhibit 24):

1. C2 channel
2. Mutex value
3 C2 channel (same as #1)


-----

depe de c es equ ed o t e stea e to u ct o p ope y
5. The stealer fingerprints the following information on the infected machine and outputs it to system.txt file:

Tag (the tag of the Stealer build)
Country
IP
Working Path
Local Time
Time Zone
Display Language
Keyboard Languages
Laptop/Desktop
Processor
Installed RAM
OS (Operating Systems)
Video card
Display Resolution
PC name
Username
Installed Software

_Exhibit 24: Decrypted strings (2)_

Mars Stealer avoids reinfection by looking up a Mutex value 67820366929896267194. If the host returns the code
ERROR_ALREADY_EXISTS (183), the stealer quits running (Exhibit 25).


-----

_Exhibit 25: Checks if Mutex value already exists_

Mars Stealer has grabber and loader capabilities. The grabber functionality allows the attacker(s) to specify what files to collect, from which
paths and the maximum file size. The following constant paths allow Mars Stealer to grab a victim’s data (Exhibit 26):

%DESKTOP%
%APPDATA% - path to Roaming folder (C:\Users\*user*\AppData\Roaming)
%LOCALAPPDATA% - path to Local folder (C:\Users\*user*\AppData\Local)
%USERPROFILE% - path to User’s folder (C:\Users\*user*\)

Exhibit 26: Grab panel

The loader allows the attacker(s) to upload additional payloads to the infected host including the modified/upgraded version of Mars Stealer.
The loader functionality has the same constant paths mentioned above. The attacker(s) can enable the “Cold Wallet” option in the Loader
panel, but it only works if the infected machine stores files related to crypto wallets and plugins (Exhibit 27).


-----

_Exhibit 27: Loader panel_

As a part of the configuration, the attacker(s) can set up a Telegram Bot, which is used to receive the logs from infected machines. The
settings panel also allows the attacker(s) to enable the following folders/files to collect:

Downloads
History
Autofill (passwords, payment methods, addresses, etc.)
Screenshot
Discord

The attacker(s) can also choose the “Build self-delete” option to remove the stealer on the infected machine. The self-delete command is
executed via command line (Exhibit 28):

/c timeout /t 5 & del /f /q "%s" & exit

_Exhibit 28: Self-deletion function_

It is worth mentioning that the attacker(s) can replace their cryptocurrency and 2FA authenticator extensions in the browser with the ones
collected on the victim’s machine and eventually obtain access to it Here is the list of cryptocurrency extensions the stealer collects:


-----

|Crypto wallet|Extension|
|---|---|
|TronLink|ibnejdfjmmkpcnlpebklmnkoeoihofec|
|MetaMask Binance Chain Wallet|nkbihfbeogaeaoehlefnkodbefgpgknn fhbohimaelbohpjbbldcngcnapndodjp|
|Yoroi|ffnbelfdoeiohenkjibnmadjiehjhajb|
|Nifty Wallet|jbdaocneiiinmjbjlgalhcelgbejmnid|
|Math Wallet|afbcbjpbpfadlkmhmclhkeeodmamcflc|
|Coinbase Wallet|hnfanknocfeofbddgcijnmhnfnkdnaad|
|Guarda|hpglfhgfnhbgpjdenjgmdgoeiappafln|
|EQUAL Wallet|blnieiiffboillknjnepogjhkgnoapac|
|Jaxx Liberty|cjelfplplebdjjenllpjcblmjkfcffne|
|BitApp Wallet|fihkakfobkmkjojpchpfgcmhfjnmnfpi|
|iWallet|kncchdigobghenbbaddojjnnaogfppfj|
|Wombat|amkmjjmmflddogmhpjloimipbofnfjih|
|MEW CX|nlbmnnijcnlegkjjpcfjclmcfggfefdm|
|GuildWallet|nanjmdknhkinifnkgdcggcfnhdaammmj|
|Saturn Wallet|nkddgncdjgjfcddamfgcmfnlhccnimig|
|Ronin Wallet|fnjhmkhhmkbjkkabndcnnogagogbneec|
|NeoLine|cphhlgmgameodnhkjdmkpanlelnlohao|
|Clover Wallet|nhnkbkgjikgcigadomkphalanndcapjk|
|Liquality Wallet|kpfopkelmapcoipemfendmdcghnegimn|
|Terra Station|aiifbnbfobpmeekipheeijimdpnlpgpp|
|Keplr|dmkamcknogkgcdfhhbddcghachkejeap|
|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|
|Sollet|fhmfendgdocmcbmfikdcogofphimnkno|
|Auro Wallet|cnmamaachppnkjgnildpdmkaakejnhae|
|Polymesh Wallet|jojhfeoedkpkglbfimdfabpdfjaoolaf|
|ICONex|flpiciilemghbmfalicajoolhkkenfel|
|Nabox Wallet|nknhiehlklippafakaeklbeglecifhad|
|KHC|hcflpincpppdclinealmandijcmnkbgn|
|Temple|ookjlbkiijinhpmnjffcofjonbfbgaoc|
|TezBox|mnfifefkajgofkcjkemidiaecocnkjeh|
|Cyano Wallet|dkdedlpgdmmkkfjabffeganieamfklkm|
|Byone|nlgbhdfgdhgbiamfdfmbikcdghidoadd|
|OneKey|infeboajgfhgbjpjbeppbkgnabfdkdaf|
|LeafWallet|cihmoadaighcejopammfbmddcmdekcje|
|DAppPlay|lodccjjbdhfakaekdiahmedfbieldgik|
|BitClip|ijmpgkjfkbfhoebgogflfebnmejmfbml|
|Steem Keychain|lkcjlnjfpbikmcmbachjpdbijejflpcm|


Nash Extension onofpnbbkehpmmoabgpcpmigafmmnjhl


-----

|Hycon Lite Client|bcopgchhojmggmffilplmbdicgaihlkp|
|---|---|
|ZilPay|klnaejjgbibmhlephnhpmaofohgkpgkd|
|Coin98 Wallet|aeachknmefphepccionboohckonoeemg|


Below is the list of 2FA Authenticator extensions:

**2FA Authenticator** **Extension**

Authenticator bhghoamapcdpbohphigoooaddinpkbai

Authy gaedmjdfmmahhbjefcbgaolhhanlaolb

EOS Authenticator oeljdldpnmdbchonielidgobddffflal

GAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl?hl=ru

Trezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk?hl=ru

Moreover, the stealer gathers the credentials and sensitive data from numerous browsers and crypto wallets (Exhibit 29).

Exhibit 29: The function responsible for gathering crypto wallet data

**Supported browsers:**

Internet Explorer, Microsoft Edge, Google Chrome, Chromium, Microsoft Edge (Chromium version), Kometa, Amigo, Torch, Orbitum, Comodo
Dragon, Nichrome, Maxthon5, Maxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi, CocCoc, Uran Browser, QIP Surf, Cent Browser,
Elements Browser, TorBro Browser, CryptoTab Browser, Brave Browser, Opera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser,
PaleMoon, Waterfox, Cyberfox, BlackHawk, IceCat, KMeleon, Thunderbird

**Supported crypto wallets:**

Dogecoin, Zcash, DashCore, LiteCoin, Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX, Atomic, Binance,
Coinomi

### C2 Communication

[The infected machine occasionally sends the POST requests to http://162.33.178[.]122/fakeurl.htm, which is a NetSupportManager server](http://162.33.0.178/)
(Exhibit 30).

|2FA Authenticator|Extension|
|---|---|
|Authenticator|bhghoamapcdpbohphigoooaddinpkbai|
|Authy|gaedmjdfmmahhbjefcbgaolhhanlaolb|
|EOS Authenticator|oeljdldpnmdbchonielidgobddffflal|
|GAuth Authenticator|ilgcnhelpchnceeipipijaljkblbcobl?hl=ru|
|Trezor Password Manager|imloifkgjagghnncjkhggdhalmcnfklk?hl=ru|


-----

_Exhibit 30: POST requests of NetSupport Manager traffic_
The victim then reaches out to the Mars Stealer C2 server (/request) to grab additional DLL dependencies (Exhibit 31):

softokn3.dll (Mozilla Firefox Library)
sqlite3.dll (used for SQLite database)
vcruntime140.dll (Microsoft Visual Studio runtime library)
freebl3.dll (Mozilla NSS freebl Library)
mozglue.dll (Mozilla Firefox Library)
msvcp140.dll (Microsoft Visual Studio runtime library)
nss3.dll (Network Security Services Mozilla Firefox Library)


-----

_Exhibit 31: The infected machine is reaching out to C2 Server to retrieve DLL components_

The infected machine then sends out the collected data including RDP credentials and certificates in a ZIP archive to Mars Stealer C2 (Exhibit
32).

_Exhibit 32: Exfiltrated data sent out to C2_

The following is an example of the exfiltrated data and the contents of the previously mentioned system.txt file (Exhibit 33).


-----

_Exhibit 33: The contents of the exfiltrated ZIP archive including system.txt_

[During the analysis of Mars Stealer, we observed a number of similarities with Oski Stealer including anti-emulation and self-removal](https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer)
capabilities, language checks, loader, and grabber features of the stealer. The obfuscation mechanism is also identical to the previous versions
of Mars Stealer: RC4 decryption key and Base64 strings. The Oski Stealer author removed the Telegram Support channel and stopped
responding to requests on Oski Stealer at the end of June 2020.

eSentire’s TRU team accesses with high confidence that Mars Stealer is a successor of Oski Stealer, although it is worth noting that unlike
Oski Stealer, Mars Stealer does not support Outlook data and credential exfiltration.

## How eSentire is Responding

Our Threat Response Unit (TRU) team combines threat intelligence obtained from research and cybersecurity incidents to create practical
outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying
countermeasures, such as:

Implementing cyber threat detections to identify malicious command execution, usage of renamed tools and ensure that eSentire has
[visibility and detections are in place across eSentire MDR for Endpoint and](https://www.esentire.com/how-we-do-it/signals/endpoint) [MDR for Network.](https://www.esentire.com/how-we-do-it/signals/network)
Performing global cyber threat hunts for indicators associated with Mars Stealer.

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts respond rapidly to any
intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU closely monitors the threat landscape
and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

## Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against SolarMarker malware:

[Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs employees on emerging threats in](https://www.esentire.com/what-we-do/managed-vulnerability-and-risk/technical-testing/security-awareness-training-managed-phishing-training)
the threat landscape.
[Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.](https://www.esentire.com/how-we-do-it/signals/endpoint)
Prevent web browsers from automatically saving and storing passwords. It is recommended to use password managers instead.
Enable multi-factor authentication whenever it is applicable.

While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical business decisions must
be made. Preventing the various cyberattack paths utilized by the modern threat actor requires actively monitoring the threat landscape,
developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU team is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and
leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced cyber threats.

If you are not currently engaged with an MDR provider, [eSentire MDR can help you reclaim the advantage and put your business ahead of](https://www.esentire.com/what-we-do/esentire-managed-detection-and-response)
di ti


-----

ea at t ea s to a e a e te tea o eat u te s a d esea c e s t at o s o you Co ect t a eSe t e Secu ty Spec a st

## Appendix

### Indicators of Compromise

**Name** **Indicators**

googleglstatupdt[.]com Hosting ChromeSetup ISO

zrianevakn1[.]com NetSupportManager RAT C2

162[.]33.178.122 NetSupportManager RAT C2

115d1ae8b95551108b3a902e48b3f163 ChromeSetup.iso

b15e0db8f65d7df27c07afe2981ff5a755666dce ChromeSetup.exe

37c24b4b6ada4250bc7c60951c5977c0 NetSupportManager RAT

5[.]45.84.214 Mars Stealer C2 (Offline)

e57756b675ae2aa07c9ec7fa52f9de33935cbc0f Mars Stealer

e3c91b6246b2b9b82cebf3700c0a7093bacaa09b Esitanza.exe.pif (renamed AutoIt)

e3c91b6246b2b9b82cebf3700c0a7093bacaa09b ANpRAHx.exe (disguised as 3uAirPlayer, drops Mars Stealer and obfuscated AutoIt
scripts)

5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a Installer_ovl.exe

2a2b00d0555647a6d5128b7ec87daf03a0ad568f consoleappmrss.exe

3c80b89e7d4fb08aa455ddf902a3ea236d3b582a Fervore.wmd (obfuscated AutoIt script)

26136c59afe28fc6bf1b3aeba8946ac2c3ce61df Vai.wmd (obfuscated AutoIt script, contains Mars Stealer)

e6f18804c94f2bca5a0f6154b1c56186d4642e6b Una.wmd (obfuscated AutoIt script)

### Yara Rules
```
import "pe"
rule MarsStealer {
  meta:
    description = "Identifies Mars Stealer malware"
    author = "eSentire TI"
    date = "04/20/2022"
    hash = "e57756b675ae2aa07c9ec7fa52f9de33935cbc0f"
  strings:
    $string1 = "C:\\ProgramData\\nss3.dll"
    $string2 = "passwords.txt" 
    $string3 = "screenshot.jpg" 
    $string4 = "*wallet*.dat" 
    $string5 = "Grabber\\%s.zip"
  condition:
    all of ($string*) and
    (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)    
}

 Skip To:

```
Key Takeaways:
Case Study
Technical Analysis of Mars Stealer Infection
How eSentire is Responding
Recommendations from eSentire’s Threat Response Unit (TRU)
Appendix

|Name|Indicators|
|---|---|
|googleglstatupdt[.]com|Hosting ChromeSetup ISO|
|zrianevakn1[.]com|NetSupportManager RAT C2|
|162[.]33.178.122|NetSupportManager RAT C2|
|115d1ae8b95551108b3a902e48b3f163|ChromeSetup.iso|
|b15e0db8f65d7df27c07afe2981ff5a755666dce|ChromeSetup.exe|
|37c24b4b6ada4250bc7c60951c5977c0|NetSupportManager RAT|
|5[.]45.84.214|Mars Stealer C2 (Offline)|
|e57756b675ae2aa07c9ec7fa52f9de33935cbc0f|Mars Stealer|
|e3c91b6246b2b9b82cebf3700c0a7093bacaa09b|Esitanza.exe.pif (renamed AutoIt)|
|e3c91b6246b2b9b82cebf3700c0a7093bacaa09b|ANpRAHx.exe (disguised as 3uAirPlayer, drops Mars Stealer and obfuscated AutoIt scripts)|
|5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a|Installer_ovl.exe|
|2a2b00d0555647a6d5128b7ec87daf03a0ad568f|consoleappmrss.exe|
|3c80b89e7d4fb08aa455ddf902a3ea236d3b582a|Fervore.wmd (obfuscated AutoIt script)|
|26136c59afe28fc6bf1b3aeba8946ac2c3ce61df|Vai.wmd (obfuscated AutoIt script, contains Mars Stealer)|
|e6f18804c94f2bca5a0f6154b1c56186d4642e6b|Una.wmd (obfuscated AutoIt script)|


-----