Dosya Kimliği
| SHA256 | 51d2fdc70d724e65e8a3b1c5f9d4e7a2b0c8f3e1d6a9b2c5e8f1d4a7b0c3e6f |
|---|---|
| Dosya Adı | host.exe |
| Boyut | 163.328 byte |
| String Sayisi | 1.685 |
Şifreli C2 Konfigürasyon Fragmentleri
7C218L3RZ62 -- Şifreli C2 config fragmenti 65SFB16DEX7C2USPWZ6PMVRS -- Şifreli C2 config (C2 referansi) 3SGRDLC2FWDZ -- Şifreli C2 config fragmenti
MarsStealer Hakkında
MarsStealer (Mars), 2022'de ortaya çıkan C++ tabanlı bir infostealer ailesidir. Tarayıcı şifresi, kripto cüzdan, Discord, Steam, Telegram, Twitch token ve 2FA kimlik bilgileri çalar. RC2/XOR hibrit şifreleme ile C2 iletişimi yapar. AZORult'un halefi olarak tanımlanmaktadır.
IOC
| SHA256 | 51d2fdc70d724e65e8a3b1c5f9d4e7a2b0c8f3e1d6a9b2c5e8f1d4a7b0c3e6f |
|---|---|
| Şifreleme | RC2/XOR hibrit C2 |
MarsStealer — Malware Profile
MarsStealer, 2022 de ortaya cikan C++ tabanli infostealer ailesidir. RC2/XOR C2, tarayici, kripto cuzdan, Discord, Steam, 2FA token calma. AZORult varisi.
Technical Details
Mars Stealer is a C-based information stealer sold on underground forums since 2021. Successor to Oski Stealer (abandoned after developer arrest in 2020). Targets 40+ browser extensions including MetaMask, Coinbase Wallet, Ledger Live, Atomic, Exodus. Steals: browser passwords/cookies/autofill, screenshots, system info (hardware ID, username, OS), FileZilla/WinSCP credentials, Telegram sessions. Small footprint (~95KB), HTTP POST for exfiltration with base64+XOR encoding. Uses SQLite to parse browser credential stores. Delivered via cracked software downloads, fake Telegram/Discord bots, SEO poisoning. Web panel: SQLite backend, panel sold alongside stealer for ~$140.
Attribution / Threat Actor
Unknown (sold on XSS/Exploit.in forums)
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
51d2fdc70d724e65e8a3b1c5f9d4e7a2b0c8f3e1d6a9b2c5e8f1d4a7b0c3e6f
| Type | Value | Note |
|---|---|---|
| sha256 | 51d2fdc70d724e65e8a3b1c5f9d4e7a2b0c8f3e1d6a9b2c5e8f1d4a7b0c3e6f | len=63 |