top of page


Public·89 members

Mars Stealer Cracked.rar

Mars Stealer Cracked.rar --->

Mars Stealer Cracked.rar

Mars is a piece of malicious software classified as a stealer. Malware within this classification operates by extracting content and information from infected devices. This applies to Mars as well; it can stealthily obtain a wide variety of data. Therefore, the threats posed by this malware are quite broad.

The Mars stealer is a lightweight malicious program. Hence, it does not strain the compromised OS (Operating System), which means that there are no obvious signs of infection (e.g., significant decrease in response/operation time, system crashes, etc.).

Mars stealer can also extract browsing and file download histories, Internet cookies, autofill/autocomplete data, and stored passwords from the following browsers: Google Chrome, Chromium, Mozilla Firefox, Microsoft Edge and its Chromium version, Internet Explorer, Opera Stable, Opera GX, Opera Neon, Kometa, Amigo, Torch, Orbitum, Comodo Dragon, and many others.

FickerStealer, MoistStealer, Jupyter, RedLine Stealer, Little Thief, HackBoss, and Xenon are some examples of malicious programs with stealer-type abilities. Malware can have various harmful functionalities, which can be in different combinations.

Update 5 August 2022 - Threat actors are now using a fake Atomic Wallet website to distribute the Mars stealer. That fake website ("Download for Windows" button on it) downloads a ZIP file named "Atomic". This archive file contains another file named "AtomicWallet-Setup.bat". This batch file executes PowerShell commands to infect computers with the Mars stealer.

The fake AnyDesk installer comes in an ISO image file and is 312MB in size. This is a common practice for stealers to pad the binary with junk hex bytes to increase the file size since some sandboxes and antiviruses have file size limitations. The infection chain is shown in Figure 3.

The eSentire TRU team has observed that the threat actor(s) have been using the AutoIt wrapper to obfuscate stealers such as Mars Stealer. For a more in-depth analysis, read our blog on Mars Stealer wrapped with AutoIt.

The scheduled task creation command line (the scheduled task is named Puoi and is set to run the z file under folder %TEMP%\zqNDtAgMrV, which is the obfuscated AutoIt script containing the stealer, every 3 minutes):

Similar to Raccoon Stealer, Redline requires a VPS (Virtual Private Server) dedicated server to host the panel. The stealer can be easily bought via a Telegram Bot (Figure 12) using cryptocurrency as a payment method. The price for Redline is $150USD per month and $900USD for lifetime access. Upon purchasing Redline, the user gets a link to the private chat in Telegram. At the time of this analysis, roughly 400 members were part of the telegram group. Based on a review of the chats, Russian native speakers were the most active. After the subscription expires, the user is removed from the private chat.

What makes Redline Stealer popular is that the control panel is quite easy to navigate through; once the user buys the stealer, they get the detailed instructions in English and Russian on Redline functionality and installation steps (Figure 13).

Facebook logs are one of the popular stolen logs being bought on hacking forums (Figures 22-23). The stealer logs that contain cookies can be enticing to cybercriminals. With the cookies, an attacker would be able to bypass two-factor authentication. By using the stolen cookie, the threat actor would be able to authenticate as another user on platforms such as YouTube and Facebook.

The installers push the stealer to third-party advertising networks or platforms. The advertising service will display the ads on different webpages based on the countries that the attacker(s) specifies. (Figure 27).

Under Entity16, the stealer enumerates the Login Data, Web Data, Cookies folders for Chrome and Opera GX Stable. It also searches for crypto wallet browser extensions under Local Extension Settings folders for Chrome (Figure 33).

The e


Welcome to the group! You can connect with other members, ge...