BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Mars Stealer

marsstealer
108
Global rank
120 infographic chevron month
Month rank
114
Week rank
0
IOCs

Mars Stealer is a malware program designed to steal sensitive information from infected systems. It can access browser credentials, cryptocurrency wallets, and system information. The malware utilizes advanced evasion techniques and transmits stolen data securely through a C&C server.

Stealer
Type
ex-USSR
Origin
1 June, 2021
First seen
22 September, 2024
Last seen

How to analyze Mars Stealer with ANY.RUN

Stealer
Type
ex-USSR
Origin
1 June, 2021
First seen
22 September, 2024
Last seen

IOCs

Domains
dispatchweekly.com14baef17b6d04c23.php
URLs
http://kenesrakishev.net/wp-admin/admin-ajax.php
http://www.moscow-post.ru/bark/wpadmin/admin.php
http://kenesrakishev.net/wp-includes/pomo/po.php
http://kenesrakishev.net/wp-load.php
http://rakishevkenes.com:443/wp-admin/admin-ajax.php
http://rakishevkenes.com/wp-admin/admin-ajax.php
http://mars.mhsorteio.app.br/APwpnHWkYh.php
http://couriercare.in/18/gate.php
http://www.msk-post.com/server/init.php
http://mail.moscow-post.com/blog/blogger.php
http://gg.gemkan.online/gate.php
http://couriercare.in/2/gate.php
http://www.moscow-post.ru/ryuka/grocktack/fdzeiw.php
http://moscow-post.com/xaoniu/server/waungowangued/g.php
http://moscow-post.ru/patch/server/udryhdj.php
http://moscow-post.com/log/loger.php
http://test.moscow-post.su/log.php
http://www.moscow-post.com/wp-content/plugins/toocreate/tuzerfd.php
http://www.moscow-post.su/su/wp-content/lozzz.php
http://moscow-post.ru/blogggg/blogger.php
Last Seen at
22 September, 2024
Malicious activity
PCCooker_x64.exe
ransomware
cryptowall
evasion
loader
phorpiex
stealer
stealc
marsstealer
xworm
remote
hausbomber
dcrat
arkei
19 September, 2024
Malicious activity
PCCookerx64.exe
evasion
marsstealer
stealer
ransomware
cryptowall
xworm
remote
hausbomber
arkei
16 September, 2024
Malicious activity
c6cdafc0-3a59-4752-861f-175fb2cebfd2
marsstealer
stealer
arkei
crypto-regex
8 September, 2024
Malicious activity
www.mediafire.com
ragnar
ransomware
evasion
loader
phorpiex
autoit
marsstealer
stealer
hausbomber
dcrat
arkei
xworm
tas17
miner
7 September, 2024
Malicious activity
filebin.net
ragnar
ransomware
evasion
loader
phorpiex
xworm
stealer
marsstealer
hausbomber
dcrat
trojan
lokibot
arkei
7 September, 2024
Malicious activity
filebin.net
stealer
guloader
loader
rat
remcos
remote
evasion
ragnar
ransomware
dcrat
darkcrystal
upx
njrat
bladabindi
phorpiex
marsstealer
hausbomber
github
discord
exfiltration
arkei
opendir
stormkitty
formbook
7 September, 2024
Malicious activity
gofile.io
fileshare
ragnar
ransomware
evasion
autoit
opendir
loader
phorpiex
telegram
marsstealer
stealer
hausbomber
botnet
zharkbot
dcrat
lumma
redline
metastealer
arkei
python
discord
github
payload
amadey
stealc
miner
onlineclipper
cryptbot
pastebin
smb
themida
formbook
api-base64
pureminer
netreactor
28 June, 2024
Malicious activity
MarsStealer8_cracked_by_LLCPPC.exe
marsstealer
stealer
arkei
28 June, 2024
Malicious activity
MarsStealer8_cracked_by_LLCPPC.exe
arkei
marsstealer
stealer
29 April, 2024
Malicious activity
d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.zip
marsstealer
stealer
arkei
TRACK THEM ALL AT
Public Submissions
Last Seen at
22 September, 2024
Malicious activity
PCCooker_x64.exe
ransomware
cryptowall
evasion
loader
phorpiex
stealer
stealc
marsstealer
xworm
remote
hausbomber
dcrat
arkei
19 September, 2024
Malicious activity
PCCookerx64.exe
evasion
marsstealer
stealer
ransomware
cryptowall
xworm
remote
hausbomber
arkei
16 September, 2024
Malicious activity
c6cdafc0-3a59-4752-861f-175fb2cebfd2
marsstealer
stealer
arkei
crypto-regex
8 September, 2024
Malicious activity
www.mediafire.com
ragnar
ransomware
evasion
loader
phorpiex
autoit
marsstealer
stealer
hausbomber
dcrat
arkei
xworm
tas17
miner
7 September, 2024
Malicious activity
filebin.net
ragnar
ransomware
evasion
loader
phorpiex
xworm
stealer
marsstealer
hausbomber
dcrat
trojan
lokibot
arkei
7 September, 2024
Malicious activity
filebin.net
stealer
guloader
loader
rat
remcos
remote
evasion
ragnar
ransomware
dcrat
darkcrystal
upx
njrat
bladabindi
phorpiex
marsstealer
hausbomber
github
discord
exfiltration
arkei
opendir
stormkitty
formbook
7 September, 2024
Malicious activity
gofile.io
fileshare
ragnar
ransomware
evasion
autoit
opendir
loader
phorpiex
telegram
marsstealer
stealer
hausbomber
botnet
zharkbot
dcrat
lumma
redline
metastealer
arkei
python
discord
github
payload
amadey
stealc
miner
onlineclipper
cryptbot
pastebin
smb
themida
formbook
api-base64
pureminer
netreactor
28 June, 2024
Malicious activity
MarsStealer8_cracked_by_LLCPPC.exe
marsstealer
stealer
arkei
28 June, 2024
Malicious activity
MarsStealer8_cracked_by_LLCPPC.exe
arkei
marsstealer
stealer
29 April, 2024
Malicious activity
d183838c3849c3cfcb873bf79de6dd6bc2cf7de60a2c18059d97eaeb1d5c2edd.zip
marsstealer
stealer
arkei
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 334
comments 0
post image
Automated Interactivity: Stage 2
watchers 2192
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3159
comments 0

Contents

  • What is malware: Mars Stealer?
  • Mars Stealer malicious software technical details
  • Mars Stealer execution process
  • Mars Stealer malware distribution methods
  • Conclusion

Recent blog posts

post image
6 Common Persistence Mechanisms in Malware
watchers 334
comments 0
post image
Automated Interactivity: Stage 2
watchers 2192
comments 0
post image
HawkEye Malware: Technical Analysis
watchers 3159
comments 0

What is malware: Mars Stealer?

First identified in June 2021, Mars Stealer is a type of malicious software primarily focused on collecting sensitive information from browsers and cryptocurrency wallets for transmission to attackers. Written in ASM/C, the malware was initially sold through Dark Web forums as a malware-as-a-service on a subscription basis. It shared similar features with other malware like Oski Stealer, Arkei, and Vidar.

While the malware appeared to have stopped functioning in 2022, with reports of unresponsive developers, evidence suggests that the original creators of Mars Stealer remain active in 2024 and continue to exploit the malware for malicious purposes.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Mars Stealer malicious software technical details

Information theft constitutes the core focus of Mars Staler:

  • Browser Credentials: It steals login credentials from popular browsers like Firefox, Chrome, Opera, and Internet Explorer using predefined paths to locate and extract data like usernames and passwords.
  • 2FA and Crypto Extension Data: Focusing specifically on Chromium-based browsers, Mars Stealer can hijack two-factor authentication (2FA) plugins and cryptocurrency extensions.
  • Cryptocurrency Wallet Targeting: It targets popular wallets like MetaMask and Binance Wallet, seeking information such as private keys.
  • Extensive System Information Collection: Mars Stealer also gathers comprehensive system information, including IPs, OS details, software installed on compromised systems, and usernames.
  • Screenshot Capture: The malware also captures a screenshot of every infected system.

Mars Stealer establishes a secure connection with its Command & Control (C&C) server using SSL encryption. This encrypted communication channel allows the malware to receive instructions, download configurations and libraries, and exfiltrate stolen data without raising red flags. The information collected by the malware is compressed into a ZIP archive before being exfiltrated to the C&C server.

Mars Stealer employs various evasion techniques to escape detection and analysis. For instance, it masks its WinApi calls and encrypts strings. To prevent multiple instances of the malware from running concurrently, Mars Stealer creates a mutex object. The virus employs a custom file grabber with configuration parsing capabilities, allowing for flexible targeting of specific files and directories.

The malware includes a special feature that checks every machine before attempting infection to identify whether it is located in one of the countries that belong to the Commonwealth of Independent States (CIS). This likely points to the fact that the creators of Mars Stealer hail from the same region.

Mars Stealer execution process

It’s time to have a better look at Mars Stealer by uploading its sample to the ANY.RUN sandbox for closer inspection.

As perpetrators endeavor to conceal their activities, the Mars Stealer employs a deliberately straightforward execution chain to minimize visibility. Consequently, the infected operating system experiences a limited number of processes, and the malware refrains from utilizing system tools. Once the payload infiltrates the compromised system, it promptly initiates its execution.

The analyzed sample initiates a process executing all malicious activities, including data theft and communication with the Command and Control (C&C) server. Malware was detected, and the configuration was successfully extracted.

Mars config shown in ANY.RUN Mars Stealer's configuration demonstrated in ANY.RUN

Mars Stealer malware distribution methods

When it comes to distribution methods, a typical attack in the case of Mars Stealer starts from spam campaigns or fake websites advertising legitimate software. For instance, in 2022, one of the campaigns to distribute Mars Stealer used a website promoting Atomic Wallet, a popular cryptocurrency wallet. After clicking on the “download” button on the website, users would receive a .zip file which contains a sample of Mars Stealer.

The malware was also commonly dropped by loaders, malicious software designed specifically for spreading different malware families on devices they manage to infect. One of the examples here is PrivateLoader.

Conclusion

With malware infections being at an all time high, it becomes important to stay vigilant and exercise caution when encountering any suspicious emails, websites, or software downloads to avoid falling victim to Mars Stealer or similar malware threats, as well as to maintain protection of your infrastructure.

ANY.RUN, a cloud-based sandbox, offers accurate threat detection, along with detailed reports on their technical characteristics. It lets you scan any suspicious file and check potentially malicious URLs to ensure informed decision-making and timely removal of any traces of the malware.

Try ANY.RUN for free – register now!

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More
Havoc screenshot
Havoc
havoc
Havoc is an advanced post-exploitation framework used by hackers to take control of a system once they've breached it. With Havoc, attackers can run commands remotely, inject malicious processes, and access sensitive data. It's often used in targeted attacks, allowing cybercriminals to stay hidden in a network while stealing information or launching further attacks. Its flexibility and ability to bypass detection make it a serious threat, especially in environments that rely on traditional security tools.
Read More