Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Mars Stealer

127
Global rank
61 infographic chevron month
Month rank
56 infographic chevron week
Week rank
0
IOCs

Mars Stealer is a malware program designed to steal sensitive information from infected systems. It can access browser credentials, cryptocurrency wallets, and system information. The malware utilizes advanced evasion techniques and transmits stolen data securely through a C&C server.

Stealer
Type
ex-USSR
Origin
1 June, 2021
First seen
27 September, 2025
Last seen

How to analyze Mars Stealer with ANY.RUN

Type
ex-USSR
Origin
1 June, 2021
First seen
27 September, 2025
Last seen

IOCs

Hashes
abbc07cd191520417e647a50492373d8f48e0a4f26f04f372f856db8e266462e
b4863f01390b14e5be2f0d510223a3a704d3cab49f5013af73b60097a64403d9
3e8fd15057bf76c51853b4a03f505c85588d13826fd417f9f15b653a9cce49c6
7083052576ebdd75079d25251f24df243395476e0386c25656937a24b6865759
d7c4d6e5ae6f07976416f5182b42252d7421d2277bbd140ac4fd72a278bbe4de
f77bcd1d604e33564039585d2c5235ea27fdd36ef53ab67fff0c646de73362c6
21633dc789d4b162040336f309194782d7976f60ebb379d6325cc04c21346572
2f1dbad2bc8a6b152996dcb415f01ff0350e75119663914aade45be5beb3f024
7fa65bb78bb3b56024b3a1399f6a767b6066ac571a68ec6719085bce7097d0df
Domains
dispatchweekly.com14baef17b6d04c23.php
URLs
http://23.137.249.5/fs89rh4nfg0.php
http://gg.gemkan.online/gate.php
http://dispatchweekly.com/b2ecfe73736f99f5.php
http://dispatchweekly.com/e9c345fc99a4e67e.php
http://dispatchweekly.com/wp.php
http://www.criminalaffair.com/wp-admin/admin-ajax.php
http://dispatchweekly.com/wp-admin/admin-ajax.php
http://rakishev.org/wp-mail.php
http://rakishev.org/wp-load.php
http://rakishev.org/blog.php
http://rakishev.org/xmlrpc.php
http://kenesrakishev.net/wp-cron.php
http://kenesrakishev.net/wp-admin/admin-ajax.php
http://kenesrakishev.net/wp-load.php
http://194.233.168.238/hell.php
http://alpha.twinsources.shop/gate.php
http://google.com/gate.php
http://91.92.250.149/gate.php
http://www.msk-post.com/server/init.php
http://www.moscow-post.su/su/wp-content/lozzz.php
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is malware: Mars Stealer?

First identified in June 2021, Mars Stealer is a type of malicious software primarily focused on collecting sensitive information from browsers and cryptocurrency wallets for transmission to attackers. Written in ASM/C, the malware was initially sold through Dark Web forums as a malware-as-a-service on a subscription basis. It shared similar features with other malware like Oski Stealer, Arkei, and Vidar.

While the malware appeared to have stopped functioning in 2022, with reports of unresponsive developers, evidence suggests that the original creators of Mars Stealer remain active in 2024 and continue to exploit the malware for malicious purposes.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Mars Stealer malicious software technical details

Information theft constitutes the core focus of Mars Staler:

  • Browser Credentials: It steals login credentials from popular browsers like Firefox, Chrome, Opera, and Internet Explorer using predefined paths to locate and extract data like usernames and passwords.
  • 2FA and Crypto Extension Data: Focusing specifically on Chromium-based browsers, Mars Stealer can hijack two-factor authentication (2FA) plugins and cryptocurrency extensions.
  • Cryptocurrency Wallet Targeting: It targets popular wallets like MetaMask and Binance Wallet, seeking information such as private keys.
  • Extensive System Information Collection: Mars Stealer also gathers comprehensive system information, including IPs, OS details, software installed on compromised systems, and usernames.
  • Screenshot Capture: The malware also captures a screenshot of every infected system.

Mars Stealer establishes a secure connection with its Command & Control (C&C) server using SSL encryption. This encrypted communication channel allows the malware to receive instructions, download configurations and libraries, and exfiltrate stolen data without raising red flags. The information collected by the malware is compressed into a ZIP archive before being exfiltrated to the C&C server.

Mars Stealer employs various evasion techniques to escape detection and analysis. For instance, it masks its WinApi calls and encrypts strings. To prevent multiple instances of the malware from running concurrently, Mars Stealer creates a mutex object. The virus employs a custom file grabber with configuration parsing capabilities, allowing for flexible targeting of specific files and directories.

The malware includes a special feature that checks every machine before attempting infection to identify whether it is located in one of the countries that belong to the Commonwealth of Independent States (CIS). This likely points to the fact that the creators of Mars Stealer hail from the same region.

Mars Stealer execution process

It’s time to have a better look at Mars Stealer by uploading its sample to the ANY.RUN sandbox for closer inspection.

As perpetrators endeavor to conceal their activities, the Mars Stealer employs a deliberately straightforward execution chain to minimize visibility. Consequently, the infected operating system experiences a limited number of processes, and the malware refrains from utilizing system tools. Once the payload infiltrates the compromised system, it promptly initiates its execution.

The analyzed sample initiates a process executing all malicious activities, including data theft and communication with the Command and Control (C&C) server. Malware was detected, and the configuration was successfully extracted.

Mars config shown in ANY.RUN Mars Stealer's configuration demonstrated in ANY.RUN

Mars Stealer malware distribution methods

When it comes to distribution methods, a typical attack in the case of Mars Stealer starts from spam campaigns or fake websites advertising legitimate software. For instance, in 2022, one of the campaigns to distribute Mars Stealer used a website promoting Atomic Wallet, a popular cryptocurrency wallet. After clicking on the “download” button on the website, users would receive a .zip file which contains a sample of Mars Stealer.

The malware was also commonly dropped by loaders, malicious software designed specifically for spreading different malware families on devices they manage to infect. One of the examples here is PrivateLoader.

Conclusion

With malware infections being at an all time high, it becomes important to stay vigilant and exercise caution when encountering any suspicious emails, websites, or software downloads to avoid falling victim to Mars Stealer or similar malware threats, as well as to maintain protection of your infrastructure.

ANY.RUN, a cloud-based sandbox, offers accurate threat detection, along with detailed reports on their technical characteristics. It lets you scan any suspicious file and check potentially malicious URLs to ensure informed decision-making and timely removal of any traces of the malware.

Try ANY.RUN for free – register now!

HAVE A LOOK AT

Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Cerber screenshot
Cerber
cerber
Cerber is a Ransomware-as-a-Service (RaaS) that appeared in 2016, spread quickly and has been evolving since. It became well-known for its file encryption, offline capabilities, and sophisticated evasion techniques. It primarily targets enterprises, financial institutions, and government entities, encrypting their data and demanding ransom payments in Bitcoin. It also targets everyday users encrypting personal files (photos, documents) with the risk of their permanent loss.
Read More
Chaos Ransomware screenshot
Chaos ransomware is a malware family known for its destructive capabilities and diverse variants. It first appeared in 2021 as a ransomware builder and later acted as a wiper. Unlike most ransomware strains that encrypt data to extort payment, early Chaos variants permanently corrupted files, while later versions adopted more conventional encryption techniques.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More