{ "id": "61cf44e0-7bad-4c97-89c2-24f4d28f2ca9", "created_at": "2026-04-06T00:13:46.363225Z", "updated_at": "2026-04-10T03:37:08.911067Z", "deleted_at": null, "sha1_hash": "f34fc92072ef4120116c62b8d914f6bf3803f80a", "title": "eSentire Threat Intelligence Malware Analysis: Mars Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 33614168, "plain_text": "eSentire Threat Intelligence Malware Analysis: Mars Stealer\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 15:50:58 UTC\r\nMars Stealer is an information-stealing malware that first appeared on hacking forums in June 2021, a year after its\r\npredecessor Oski Stealer was discontinued in June 2020. Mars Stealer can target or ‘support’ over 50 crypto wallets and\r\nextensions, is multi-functional, and avoids detection. In addition, it’s low price on the malware market has generated\r\nsignificant attention from threat actor(s) who are looking to add the effective malware into their arsenal.\r\neSentire's Threat Response Unit (TRU) team previously published a TRU Positive that focused on the cyber threat\r\ninvestigation summary of a singular incident and recommendations regarding Mars Stealer malware. However, this blogpost\r\ndelves deeper into the technical details that were gathered during the research and analysis of the Mars Stealer TRU\r\nPositive.\r\nKey Takeaways:\r\nMars Stealer is the latest version of Oski Stealer, which was discontinued in June 2020.\r\nNetSupport RAT (Remote Access Tool), or client32.exe, was embedded in a ChromeSetup.exe file and used by an\r\nattacker to gain access to a victim’s workstation for further deployment of tools needed to plant Mars Stealer.\r\nAn executable with the original filename 3uAirPlayer was used to deploy obfuscated AutoIt scripts with Mars Stealer\r\nembedded inside and a renamed version of AutoIt to evade detections.\r\nThe persistence mechanism was created to make sure the attacker(s) maintain access to NetSupportManager as a\r\nbackdoor.\r\nMars Stealer can self-delete itself after successfully exfiltrating the victim’s data, leaving no trace behind.\r\nCase Study\r\nThe first mention of Mars Stealer appeared on Russian-speaking forums in June 2021 and at the time, it was being sold for\r\n$140 a month (Exhibit 1).\r\nExhibit 1: Advertisement on Mars Stealer\r\nMars Stealer allegedly ‘supports’, or is capable of, harvesting data from common browsers, crypto wallets, and two-factor\r\nauthentication (2FA) and crypto extensions. Since the release of Mars Stealer, eSentire’s Threat Response Unit (TRU) team\r\nhas observed a number of cracked versions being distributed by a reverse engineer who goes under the username ‘LLCPPC’.\r\nThe latest version is Mars Stealer v8 (Exhibit 2).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 1 of 16\n\nExhibit 2: Mars Stealer v8 advertisement\r\nMars Stealer has been delivered as a drive-by download via cloned websites for known software, such as Open Office. The\r\nmalware is also distributed as patching software and keygens on gaming forums. In the incident observed by eSentire, the\r\nstealer was delivered via the NetSupportManager RAT.\r\nTechnical Analysis of Mars Stealer Infection\r\nInitial Access\r\nThe initial access vector occurred when the victim visited a malicious website hosting an ISO image named\r\nChromeSetup.iso (hxxps[:]//googleglstatupdt[.]com/LEND/ChromeSetup[.]iso).\r\nThe ISO image contained ChromeSetup.exe, which had an embedded NetSupportManager RAT and a Chrome Updater in a\r\ncabinet (CAB) archive-file format (Exhibits 3-4).\r\nExhibit 3: Cabinet section under RCData\r\nExhibit 4: Contents of the extracted CAB file\r\nThe NetSupportManager RAT was obfuscated by the attacker as ‘21m_18_033.exe’. The RAT was installed in tandem when\r\nthe victim opened ChromeSetup.exe. Persistence was achieved by the RAT via a Startup LNK file through the following\r\npath:\r\nc:\\users\\*\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\autorunings.ini.lnk\r\nThe LNK runs the RAT under C:\\Users\\*\\AppData\\Roaming\\WinSupports\\client32.exe after each reboot attempt.\r\nIt is worth noting that attacks involving RATs do not usually start with the full infection chain once the user executes the\r\ninitial payload. The attacker would need additional time to access the RAT and load additional payloads. In the incident we\r\nanalyzed, the attacker’s movement in the network can be observed in Exhibit 5.\r\nExhibit 5: Infection chain\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 2 of 16\n\naNpRAHx.exe (original name: 3uAirPlayer.exe) was used to plant the following AutoIt scripts on the victim’s workstation\r\nunder the path C:\\Users\\*\\AppData\\Local\\Temp\\IXP001.TMP:\r\nuna.wmd\r\nfervore.wmd\r\nvai.wmd\r\nThe scripts were embedded within the CAB file of the executable (Exhibits 6-7)\r\nExhibit 6: Cabinet section under RCData (aNpRAHx.exe)\r\nExhibit 7: Contents of the CAB file\r\nThe AutoIt scripts were highly obfuscated. Within the aNpRAHx.exe resources, there was a POSTRUNPROGRAM section\r\nthat contained the following command:\r\nEsitanza.exe.pif: the renamed AutoIt program\r\nuna.wmd: the script responsible for dropping Esitanza.exe\r\nvai.wmd: the core script that contains Mars Stealer, its dependencies, and the copy of a NTDLL.DLL file\r\nExhibit 8: Obfuscated Fervore.wmd script\r\nThe post command execution was also responsible for running the following commands on the host:\r\nfind /I /N \"bullguardcore.exe\"\r\nfind /I /N \"psuaservice.exe”\r\nfindstr /V /R\r\n\"^UzERaIroWGYHeuAyIPBJMSUyDIptkdLqzqzZHgBHJNQEeOwczSBTavTwnmhKnZWGVYgwNAnxhUZYefrOGNKzOSHWiaAoqRoKRlJtm\r\nUna.wmd\r\ntasklist /FI \"imagename eq BullGuardCore.exe”\r\ntasklist /FI \"imagename eq PSUAService.exe\"\r\nAs indicated above, vai.wmd is the script responsible for loading additional dependencies as well as Mars Stealer. The value\r\n$ARZURr holds the obfuscated Mars Stealer version (Exhibit 9). The RC4 key was derived from the following pattern:\r\nBinary(MRPvnDnroX(\"58}59}59}63}61}63}60}60}58}59}62}63}57}57}58}64}56}63}57}63}57}63}57}61}60}57}60\",7)))))\r\nThe pattern subtracts 7 from each character that is eventually converted to ASCII format. The RC4 key to decrypt the Mars\r\nStealer is “344868553478223918282826525”.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 3 of 16\n\nExhibit 9: The hex values of the obfuscated Mars Stealer\r\nAfter decrypting the binary (Exhibit 10), there appeared to be another layer of obfuscation added to the file that was\r\ndecrypted during runtime.\r\nExhibit 10: Decrypting the binary using CyberChef\r\nWithout having to fully deobfuscate the AutoIt script, we converted the script into an executable and proceeded with\r\ndebugging (Exhibit 11). We were able to extract the deobfuscated Mars Stealer executable by leveraging the debugger. It\r\nshould be noted that Mars Stealer is loading its own copy of NTDLL.DLL and renames it (Exhibit 12). NTDLL.DLL is\r\nresponsible for injecting Mars Stealer into explorer.exe module during the runtime (Exhibit 13-14). A similar technique was\r\nobserved in Oasis Stealer and thoroughly described by a Malware Analyst, hasherezade.\r\nEndpoint Detection and Response (EDR) uses API hooking to monitor suspicious processes in real time. It is a common\r\npractice for EDR solutions to hook the functions exported from NTDLL.DLL. The library does not rely on other DLL\r\n(Dynamic Link Library) dependencies. In addition, it is also responsible for exporting Native APIs that are often abused by\r\nmalware developers. Moreover, in order to bypass the detection by EDR tools, attacker(s) will independently load a copy of\r\nNTDLL.DLL (Exhibit 15).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 4 of 16\n\nExhibit 11: Credential stealing evidence from the debugger\r\nExhibit 12: Renamed copy of NTDLL.DLL (partially deobfuscated AutoIt script)\r\nExhibit 13: Mars Stealer is being injected into explorer.exe (1)\r\nExhibit 14: Mars Stealer is being injected into explorer.exe (2)\r\nExhibit 15: Custom loaded NTDLL.DLL\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 5 of 16\n\nIt is also worth noting that another executable was dropped via the remote session on the victim’s machine –\r\nconsoleappmrss.exe. The executable contained an embedded file named Installer_ovl.exe, which was written in C#.\r\nThe executable connected to the shortened URL (tiny[.]one), a Discord CDN to retrieve another file named\r\nDebugViewPortable_4_90_Release_3_English_online_Auejpzlt.bmp (Exhibit 16).\r\nExhibit 16: The file reaches out to Discord CDN to download additional payloads\r\nAt the time of the analysis, the link to the BMP file was not accessible. We believe that the attacker(s) tried to retrieve\r\nadditional payloads, but the attempt was unsuccessful.\r\nMars Stealer and C2 Panel Analysis\r\nThe deobfuscated Mars Stealer was written in ASM/C and approximately 162KB in size. The compilation date was March\r\n29, 2022, which suggests that the attacker(s) modified the stealer right before shipping it onto the victim’s machine.\r\nThe stealer includes anti-debugging and anti-sandbox features:\r\nFor anti-debugging purposes, it manually checks the PEB (Process Environment Block) for BeingDebugged flag.\r\nFor anti-sandboxing, the stealer sleeps for 16000 milliseconds (about 16 seconds) and calls GetTickCount API\r\n(Exhibit 17) to retrieve the number of milliseconds that have passed since the system was started and the number of\r\nmilliseconds of the current running time.\r\nBoth values get subtracted and are compared to 12000 milliseconds (about 12 seconds).\r\nIf the value is less than 12000, it means that the Sleep function was skipped by the debugger or sandbox, and\r\nthe sample exits (Exhibit 18).\r\nThe sample also performs anti-emulation checks for Windows Defender Antivirus on values HAL9TH and JohnDoe\r\n(Exhibit 19).\r\nExhibit 17: Using GetTickCount() for anti-debugging purposes\r\nExhibit 18: If the sample is being debugged, the running process terminates\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 6 of 16\n\nExhibit 19: Windows Defender Antivirus anti-emulation checks\r\nMars Stealer will exit if the following languages are detected (Exhibit 20):\r\nUzbekistan\r\nAzerbaijan\r\nKazakhstan\r\nRussia\r\nBelarus\r\nExhibit 20: Language check using GetUserDefaultUILanguage function\r\nThe language checks are also performed within the Mars Stealer panel (Exhibit 21).\r\nExhibit 21: Language check in PHP component\r\nThe strings in .RDATA section are XOR’ed (XOR or \"exclusive or\" is a logical operator that yields true if exactly one (not\r\nboth) of two conditions is true) with different keys as shown in Exhibit 22. The first batch of decrypted strings are mostly\r\nAPI calls (Exhibit 23).\r\nExhibit 22: XOR-encoding routine\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 7 of 16\n\nExhibit 23: Decrypted strings (1)\r\nFrom another batch of decrypted strings, we can observe the following (Exhibit 24):\r\n1. C2 channel\r\n2. Mutex value\r\n3. C2 channel (same as #1)\r\n4. DLL dependencies required for the stealer to function properly\r\n5. The stealer fingerprints the following information on the infected machine and outputs it to system.txt file:\r\nTag (the tag of the Stealer build)\r\nCountry\r\nIP\r\nWorking Path\r\nLocal Time\r\nTime Zone\r\nDisplay Language\r\nKeyboard Languages\r\nLaptop/Desktop\r\nProcessor\r\nInstalled RAM\r\nOS (Operating Systems)\r\nVideo card\r\nDisplay Resolution\r\nPC name\r\nUsername\r\nInstalled Software\r\nExhibit 24: Decrypted strings (2)\r\nMars Stealer avoids reinfection by looking up a Mutex value 67820366929896267194. If the host returns the code\r\nERROR_ALREADY_EXISTS (183), the stealer quits running (Exhibit 25).\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 8 of 16\n\nExhibit 25: Checks if Mutex value already exists\r\nMars Stealer has grabber and loader capabilities. The grabber functionality allows the attacker(s) to specify what files to\r\ncollect, from which paths and the maximum file size. The following constant paths allow Mars Stealer to grab a victim’s\r\ndata (Exhibit 26):\r\n%DESKTOP%\r\n%APPDATA% - path to Roaming folder (C:\\Users\\*user*\\AppData\\Roaming)\r\n%LOCALAPPDATA% - path to Local folder (C:\\Users\\*user*\\AppData\\Local)\r\n%USERPROFILE% - path to User’s folder (C:\\Users\\*user*\\)\r\nExhibit 26: Grab panel\r\nThe loader allows the attacker(s) to upload additional payloads to the infected host including the modified/upgraded version\r\nof Mars Stealer. The loader functionality has the same constant paths mentioned above. The attacker(s) can enable the “Cold\r\nWallet” option in the Loader panel, but it only works if the infected machine stores files related to crypto wallets and plugins\r\n(Exhibit 27).\r\nExhibit 27: Loader panel\r\nAs a part of the configuration, the attacker(s) can set up a Telegram Bot, which is used to receive the logs from infected\r\nmachines. The settings panel also allows the attacker(s) to enable the following folders/files to collect:\r\nDownloads\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 9 of 16\n\nHistory\r\nAutofill (passwords, payment methods, addresses, etc.)\r\nScreenshot\r\nDiscord\r\nThe attacker(s) can also choose the “Build self-delete” option to remove the stealer on the infected machine. The self-delete\r\ncommand is executed via command line (Exhibit 28):\r\n/c timeout /t 5 \u0026 del /f /q \"%s\" \u0026 exit\r\nExhibit 28: Self-deletion function\r\nIt is worth mentioning that the attacker(s) can replace their cryptocurrency and 2FA authenticator extensions in the browser\r\nwith the ones collected on the victim’s machine and eventually obtain access to it. Here is the list of cryptocurrency\r\nextensions the stealer collects:\r\nCrypto wallet Extension\r\nTronLink ibnejdfjmmkpcnlpebklmnkoeoihofec\r\nMetaMask\r\nBinance Chain Wallet\r\nnkbihfbeogaeaoehlefnkodbefgpgknn\r\nfhbohimaelbohpjbbldcngcnapndodjp\r\nYoroi ffnbelfdoeiohenkjibnmadjiehjhajb\r\nNifty Wallet jbdaocneiiinmjbjlgalhcelgbejmnid\r\nMath Wallet afbcbjpbpfadlkmhmclhkeeodmamcflc\r\nCoinbase Wallet hnfanknocfeofbddgcijnmhnfnkdnaad\r\nGuarda hpglfhgfnhbgpjdenjgmdgoeiappafln\r\nEQUAL Wallet blnieiiffboillknjnepogjhkgnoapac\r\nJaxx Liberty cjelfplplebdjjenllpjcblmjkfcffne\r\nBitApp Wallet fihkakfobkmkjojpchpfgcmhfjnmnfpi\r\niWallet kncchdigobghenbbaddojjnnaogfppfj\r\nWombat amkmjjmmflddogmhpjloimipbofnfjih\r\nMEW CX nlbmnnijcnlegkjjpcfjclmcfggfefdm\r\nGuildWallet nanjmdknhkinifnkgdcggcfnhdaammmj\r\nSaturn Wallet nkddgncdjgjfcddamfgcmfnlhccnimig\r\nRonin Wallet fnjhmkhhmkbjkkabndcnnogagogbneec\r\nNeoLine cphhlgmgameodnhkjdmkpanlelnlohao\r\nClover Wallet nhnkbkgjikgcigadomkphalanndcapjk\r\nLiquality Wallet kpfopkelmapcoipemfendmdcghnegimn\r\nTerra Station aiifbnbfobpmeekipheeijimdpnlpgpp\r\nKeplr dmkamcknogkgcdfhhbddcghachkejeap\r\nSollet fhmfendgdocmcbmfikdcogofphimnkno\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 10 of 16\n\nSollet fhmfendgdocmcbmfikdcogofphimnkno\r\nAuro Wallet cnmamaachppnkjgnildpdmkaakejnhae\r\nPolymesh Wallet jojhfeoedkpkglbfimdfabpdfjaoolaf\r\nICONex flpiciilemghbmfalicajoolhkkenfel\r\nNabox Wallet nknhiehlklippafakaeklbeglecifhad\r\nKHC hcflpincpppdclinealmandijcmnkbgn\r\nTemple ookjlbkiijinhpmnjffcofjonbfbgaoc\r\nTezBox mnfifefkajgofkcjkemidiaecocnkjeh\r\nCyano Wallet dkdedlpgdmmkkfjabffeganieamfklkm\r\nByone nlgbhdfgdhgbiamfdfmbikcdghidoadd\r\nOneKey infeboajgfhgbjpjbeppbkgnabfdkdaf\r\nLeafWallet cihmoadaighcejopammfbmddcmdekcje\r\nDAppPlay lodccjjbdhfakaekdiahmedfbieldgik\r\nBitClip ijmpgkjfkbfhoebgogflfebnmejmfbml\r\nSteem Keychain lkcjlnjfpbikmcmbachjpdbijejflpcm\r\nNash Extension onofpnbbkehpmmoabgpcpmigafmmnjhl\r\nHycon Lite Client bcopgchhojmggmffilplmbdicgaihlkp\r\nZilPay klnaejjgbibmhlephnhpmaofohgkpgkd\r\nCoin98 Wallet aeachknmefphepccionboohckonoeemg\r\nBelow is the list of 2FA Authenticator extensions:\r\n2FA Authenticator Extension\r\nAuthenticator bhghoamapcdpbohphigoooaddinpkbai\r\nAuthy gaedmjdfmmahhbjefcbgaolhhanlaolb\r\nEOS Authenticator oeljdldpnmdbchonielidgobddffflal\r\nGAuth Authenticator ilgcnhelpchnceeipipijaljkblbcobl?hl=ru\r\nTrezor Password Manager imloifkgjagghnncjkhggdhalmcnfklk?hl=ru\r\nMoreover, the stealer gathers the credentials and sensitive data from numerous browsers and crypto wallets (Exhibit 29).\r\nExhibit 29: The function responsible for gathering crypto wallet data\r\nSupported browsers:\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 11 of 16\n\nInternet Explorer, Microsoft Edge, Google Chrome, Chromium, Microsoft Edge (Chromium version), Kometa, Amigo,\r\nTorch, Orbitum, Comodo Dragon, Nichrome, Maxthon5, Maxthon6, Sputnik Browser, Epic Privacy Browser, Vivaldi,\r\nCocCoc, Uran Browser, QIP Surf, Cent Browser, Elements Browser, TorBro Browser, CryptoTab Browser, Brave Browser,\r\nOpera Stable, Opera GX, Opera Neon, Firefox, SlimBrowser, PaleMoon, Waterfox, Cyberfox, BlackHawk, IceCat,\r\nKMeleon, Thunderbird\r\nSupported crypto wallets:\r\nDogecoin, Zcash, DashCore, LiteCoin, Ethereum, Electrum, Electrum LTC, Exodus, Electron Cash, MultiDoge, JAXX,\r\nAtomic, Binance, Coinomi\r\nC2 Communication\r\nThe infected machine occasionally sends the POST requests to http://162.33.178[.]122/fakeurl.htm, which is a\r\nNetSupportManager server (Exhibit 30).\r\nExhibit 30: POST requests of NetSupport Manager traffic\r\nThe victim then reaches out to the Mars Stealer C2 server (/request) to grab additional DLL dependencies (Exhibit 31):\r\nsoftokn3.dll (Mozilla Firefox Library)\r\nsqlite3.dll (used for SQLite database)\r\nvcruntime140.dll (Microsoft Visual Studio runtime library)\r\nfreebl3.dll (Mozilla NSS freebl Library)\r\nmozglue.dll (Mozilla Firefox Library)\r\nmsvcp140.dll (Microsoft Visual Studio runtime library)\r\nnss3.dll (Network Security Services Mozilla Firefox Library)\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 12 of 16\n\nExhibit 31: The infected machine is reaching out to C2 Server to retrieve DLL components\r\nThe infected machine then sends out the collected data including RDP credentials and certificates in a ZIP archive to Mars\r\nStealer C2 (Exhibit 32).\r\nExhibit 32: Exfiltrated data sent out to C2\r\nThe following is an example of the exfiltrated data and the contents of the previously mentioned system.txt file (Exhibit 33).\r\nExhibit 33: The contents of the exfiltrated ZIP archive including system.txt\r\nDuring the analysis of Mars Stealer, we observed a number of similarities with Oski Stealer including anti-emulation and\r\nself-removal capabilities, language checks, loader, and grabber features of the stealer. The obfuscation mechanism is also\r\nidentical to the previous versions of Mars Stealer: RC4 decryption key and Base64 strings. The Oski Stealer author removed\r\nthe Telegram Support channel and stopped responding to requests on Oski Stealer at the end of June 2020.\r\neSentire’s TRU team accesses with high confidence that Mars Stealer is a successor of Oski Stealer, although it is worth\r\nnoting that unlike Oski Stealer, Mars Stealer does not support Outlook data and credential exfiltration.\r\nHow eSentire is Responding\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 13 of 16\n\nOur Threat Response Unit (TRU) team combines threat intelligence obtained from research and cybersecurity incidents to\r\ncreate practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity\r\nthreats by deploying countermeasures, such as:\r\nImplementing cyber threat detections to identify malicious command execution, usage of renamed tools and ensure\r\nthat eSentire has visibility and detections are in place across eSentire MDR for Endpoint and MDR for Network.\r\nPerforming global cyber threat hunts for indicators associated with Mars Stealer.\r\nOur detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts\r\nrespond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU\r\nclosely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess\r\ncustomer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWe recommend implementing the following controls to help secure your organization against SolarMarker malware:\r\nImplement a Phishing and Security Awareness Training (PSAT) program that educates and informs employees on\r\nemerging threats in the threat landscape.\r\nConfirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.\r\nPrevent web browsers from automatically saving and storing passwords. It is recommended to use password\r\nmanagers instead.\r\nEnable multi-factor authentication whenever it is applicable.\r\nWhile the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical\r\nbusiness decisions must be made. Preventing the various cyberattack paths utilized by the modern threat actor requires\r\nactively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs \u0026\r\nnetwork data during active intrusions.\r\neSentire’s TRU team is a world-class team of threat researchers who develop new detections enriched by original threat\r\nintelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to\r\nadvanced cyber threats.\r\nIf you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your\r\nbusiness ahead of disruption.\r\nLearn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire\r\nSecurity Specialist.\r\nAppendix\r\nhttps://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer\r\nhttps://blog.morphisec.com/threat-research-mars-stealer\r\nhttps://cyberint.com/blog/research/mars-stealer/\r\nhttps://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer\r\nhttps://docs.microsoft.com/en-us/windows/win32/api\r\nhttps://www.ired.team/offensive-security/defense-evasion/bypassing-cylance-and-other-avs-edrs-by-unhooking-windows-apis\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/08/process-doppelganging-meets-process-hollowing_osiris/\r\nIndicators of Compromise\r\nName Indicators\r\ngoogleglstatupdt[.]com Hosting ChromeSetup ISO\r\nzrianevakn1[.]com NetSupportManager RAT C2\r\n162[.]33.178.122 NetSupportManager RAT C2\r\n115d1ae8b95551108b3a902e48b3f163 ChromeSetup.iso\r\nb15e0db8f65d7df27c07afe2981ff5a755666dce ChromeSetup.exe\r\n37c24b4b6ada4250bc7c60951c5977c0 NetSupportManager RAT\r\n5[.]45.84.214 Mars Stealer C2 (Offline)\r\ne57756b675ae2aa07c9ec7fa52f9de33935cbc0f Mars Stealer\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 14 of 16\n\ne3c91b6246b2b9b82cebf3700c0a7093bacaa09b Esitanza.exe.pif (renamed AutoIt)\r\ne3c91b6246b2b9b82cebf3700c0a7093bacaa09b\r\nANpRAHx.exe (disguised as 3uAirPlayer, drops Mars Stealer and\r\nobfuscated AutoIt scripts)\r\n5c4e3e5fda232c31b3d2a2842c5ea23523b1de1a Installer_ovl.exe\r\n2a2b00d0555647a6d5128b7ec87daf03a0ad568f consoleappmrss.exe\r\n3c80b89e7d4fb08aa455ddf902a3ea236d3b582a Fervore.wmd (obfuscated AutoIt script)\r\n26136c59afe28fc6bf1b3aeba8946ac2c3ce61df Vai.wmd (obfuscated AutoIt script, contains Mars Stealer)\r\ne6f18804c94f2bca5a0f6154b1c56186d4642e6b Una.wmd (obfuscated AutoIt script)\r\nYara Rules\r\nimport \"pe\"\r\nrule MarsStealer {\r\n meta:\r\n description = \"Identifies Mars Stealer malware\"\r\n author = \"eSentire TI\"\r\n date = \"04/20/2022\"\r\n hash = \"e57756b675ae2aa07c9ec7fa52f9de33935cbc0f\"\r\n strings:\r\n $string1 = \"C:\\\\ProgramData\\\\nss3.dll\"\r\n $string2 = \"passwords.txt\"\r\n $string3 = \"screenshot.jpg\"\r\n $string4 = \"*wallet*.dat\"\r\n $string5 = \"Grabber\\\\%s.zip\"\r\n condition:\r\n all of ($string*) and\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)\r\n}\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level\r\nMDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 15 of 16\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security\r\nOperations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an\r\nextension of your security team to continuously improve our Managed Detection and Response service. By providing\r\ncomplete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat\r\nhunts augmented by original threat research, we are laser-focused on defending your organization against known and\r\nunknown threats.\r\nSource: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nhttps://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer" ], "report_names": [ "esentire-threat-intelligence-malware-analysis-mars-stealer" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434426, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f34fc92072ef4120116c62b8d914f6bf3803f80a.pdf", "text": "https://archive.orkl.eu/f34fc92072ef4120116c62b8d914f6bf3803f80a.txt", "img": "https://archive.orkl.eu/f34fc92072ef4120116c62b8d914f6bf3803f80a.jpg" } }