Hash / BilgiDeger
SHA2563de1fb0d1108907fd61d6d6b9a4c6b856af509e0af35578f158cfce5d634fe07
MD54698476f41e3ee39f55126af7286120f
SHA1ba204fea5acef9c478ae82e09dd199331413ab61
Dosya Adirequest.zip
Dosya Türüzip
Boyut1,565,849 bytes
Ilk Görülme2022-04-12

Tehdit Degerlendirmesi

Bu ornek, etkilenen sistemlerdeki hassas kimlik bilgilerini ve kisisel verileri toplayan bir bilgi hırsızı (infostealer) olarak siniflandirilmistir. Tarayici kayitli parolalar, cerezler, kripto para cüzdani verileri ve oturum tokenlari birincil hedefleridir.

Tespit Edilen Yetenekler

  • Tarayici Kimlik Bilgileri
  • Cerez Hirsizligi
  • Kripto Cüzdan
  • 2FA Kodu
  • Sistem Bilgisi

MalwareBazaar Etiketleri

marsMarsStealerzip

Analiz Notu

Bu ornek MarsStealer ailesine ait ve MalwareBazaar platformundan alınmıstır. KEYDAL Guvenlik Arastirmaları tarafından metadata analizi gerceklestirilmis ve IOC veritabanına eklenmistir.

MarsStealer — Malware Profile

MarsStealer, 2022 de ortaya cikan C++ tabanli infostealer ailesidir. RC2/XOR C2, tarayici, kripto cuzdan, Discord, Steam, 2FA token calma. AZORult varisi.

Malware Type
Infostealer
Programming Language
C
C2 Protocol
HTTPS
Target Systems
Windows
Also Known As (AKA)
Oski Stealer variant, Mars 2.9

Technical Details

Mars Stealer is a C-based information stealer sold on underground forums since 2021. Successor to Oski Stealer (abandoned after developer arrest in 2020). Targets 40+ browser extensions including MetaMask, Coinbase Wallet, Ledger Live, Atomic, Exodus. Steals: browser passwords/cookies/autofill, screenshots, system info (hardware ID, username, OS), FileZilla/WinSCP credentials, Telegram sessions. Small footprint (~95KB), HTTP POST for exfiltration with base64+XOR encoding. Uses SQLite to parse browser credential stores. Delivered via cracked software downloads, fake Telegram/Discord bots, SEO poisoning. Web panel: SQLite backend, panel sold alongside stealer for ~$140.

Attribution / Threat Actor

Unknown (sold on XSS/Exploit.in forums)

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (8 indicators)

IOC — MarsStealer
# SHA256 3de1fb0d1108907fd61d6d6b9a4c6b856af509e0af35578f158cfce5d634fe07 # MD5 4698476f41e3ee39f55126af7286120f # IP 62.204.41.14 # IP 185.215.113.68 # DOMAIN mars-stealer-panel.ru # MUTEX Global_MarsStealer_Mutex # EMAIL mars.stealer.shop@proton.me # URL https://mars-stealer-panel.ru/gate.php
TypeValueNote
sha256 3de1fb0d1108907fd61d6d6b9a4c6b856af509e0af35578f158cfce5d634fe07
md5 4698476f41e3ee39f55126af7286120f
ip 62.204.41.14 MarsStealer C2 panel - Rusya hosting
ip 185.215.113.68 MarsStealer aktif C2
domain mars-stealer-panel.ru MarsStealer admin panel domain
mutex Global_MarsStealer_Mutex MarsStealer mutex
email mars.stealer.shop@proton.me MarsStealer satici email - darknet
url https://mars-stealer-panel.ru/gate.php MarsStealer exfiltration gate
Tags
marsMarsStealerzip