| Hash / Bilgi | Deger |
|---|---|
| SHA256 | 3de1fb0d1108907fd61d6d6b9a4c6b856af509e0af35578f158cfce5d634fe07 |
| MD5 | 4698476f41e3ee39f55126af7286120f |
| SHA1 | ba204fea5acef9c478ae82e09dd199331413ab61 |
| Dosya Adi | request.zip |
| Dosya Türü | zip |
| Boyut | 1,565,849 bytes |
| Ilk Görülme | 2022-04-12 |
Tehdit Degerlendirmesi
Bu ornek, etkilenen sistemlerdeki hassas kimlik bilgilerini ve kisisel verileri toplayan bir bilgi hırsızı (infostealer) olarak siniflandirilmistir. Tarayici kayitli parolalar, cerezler, kripto para cüzdani verileri ve oturum tokenlari birincil hedefleridir.
Tespit Edilen Yetenekler
- Tarayici Kimlik Bilgileri
- Cerez Hirsizligi
- Kripto Cüzdan
- 2FA Kodu
- Sistem Bilgisi
MalwareBazaar Etiketleri
Analiz Notu
Bu ornek MarsStealer ailesine ait ve MalwareBazaar platformundan alınmıstır. KEYDAL Guvenlik Arastirmaları tarafından metadata analizi gerceklestirilmis ve IOC veritabanına eklenmistir.
MarsStealer — Malware Profile
MarsStealer, 2022 de ortaya cikan C++ tabanli infostealer ailesidir. RC2/XOR C2, tarayici, kripto cuzdan, Discord, Steam, 2FA token calma. AZORult varisi.
Technical Details
Mars Stealer is a C-based information stealer sold on underground forums since 2021. Successor to Oski Stealer (abandoned after developer arrest in 2020). Targets 40+ browser extensions including MetaMask, Coinbase Wallet, Ledger Live, Atomic, Exodus. Steals: browser passwords/cookies/autofill, screenshots, system info (hardware ID, username, OS), FileZilla/WinSCP credentials, Telegram sessions. Small footprint (~95KB), HTTP POST for exfiltration with base64+XOR encoding. Uses SQLite to parse browser credential stores. Delivered via cracked software downloads, fake Telegram/Discord bots, SEO poisoning. Web panel: SQLite backend, panel sold alongside stealer for ~$140.
Attribution / Threat Actor
Unknown (sold on XSS/Exploit.in forums)
Capabilities & Behavior
IOC List (8 indicators)
# SHA256
3de1fb0d1108907fd61d6d6b9a4c6b856af509e0af35578f158cfce5d634fe07
# MD5
4698476f41e3ee39f55126af7286120f
# IP
62.204.41.14
# IP
185.215.113.68
# DOMAIN
mars-stealer-panel.ru
# MUTEX
Global_MarsStealer_Mutex
# EMAIL
mars.stealer.shop@proton.me
# URL
https://mars-stealer-panel.ru/gate.php
| Type | Value | Note |
|---|---|---|
| sha256 | 3de1fb0d1108907fd61d6d6b9a4c6b856af509e0af35578f158cfce5d634fe07 | |
| md5 | 4698476f41e3ee39f55126af7286120f | |
| ip | 62.204.41.14 | MarsStealer C2 panel - Rusya hosting |
| ip | 185.215.113.68 | MarsStealer aktif C2 |
| domain | mars-stealer-panel.ru | MarsStealer admin panel domain |
| mutex | Global_MarsStealer_Mutex | MarsStealer mutex |
| mars.stealer.shop@proton.me | MarsStealer satici email - darknet | |
| url | https://mars-stealer-panel.ru/gate.php | MarsStealer exfiltration gate |