Merge pull request #920 from Delta-Sierra/main

add mars and oski stealers
This commit is contained in:
Deborah Servili 2024-01-31 16:05:12 +01:00 committed by GitHub
commit 270bc6fb7d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -223,7 +223,67 @@
}, },
"uuid": "0266302b-52d3-44da-ab63-a8a6f16de737", "uuid": "0266302b-52d3-44da-ab63-a8a6f16de737",
"value": "Sordeal-Stealer" "value": "Sordeal-Stealer"
},
{
"description": "Mars stealer is an improved successor of Oski Stealer, supporting stealing from current browsers and targeting crypto currencies and 2FA plugins. Mars Stealer written in ASM/C using WinApi, weight is 95 kb. Uses special techniques to hide WinApi calls, encrypts strings, collects information in the memory, supports secure SSL-connection with C&C, doesnt use CRT, STD.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.mars_stealer",
"https://3xp0rt.com/posts/mars-stealer/",
"https://cyberint.com/blog/research/mars-stealer/",
"https://isc.sans.edu/diary/rss/28468",
"https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468",
"https://blog.morphisec.com/threat-research-mars-stealer",
"https://cert.gov.ua/article/38606",
"https://www.malwarebytes.com/blog/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique",
"https://blog.sekoia.io/mars-a-red-hot-information-stealer/",
"https://www.bleepingcomputer.com/news/security/new-meta-information-stealer-distributed-in-malspam-campaign/",
"https://www.esentire.com/blog/fake-chrome-setup-leads-to-netsupportmanager-rat-and-mars-stealer",
"https://resources.infosecinstitute.com/topics/malware-analysis/mars-stealer-malware-analysis/",
"https://www.microsoft.com/en-us/security/blog/2022/05/17/in-hot-pursuit-of-cryware-defending-hot-wallets-from-attacks/",
"https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-mars-stealer",
"https://x-junior.github.io/malware%20analysis/2022/05/19/MarsStealer.html",
"https://www.kelacyber.com/information-stealers-a-new-landscape/",
"https://cyble.com/blog/fake-atomic-wallet-website-distributing-mars-stealer/",
"https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf",
"https://drive.google.com/file/d/14cmYxzowVLyuiS5qDGOKzgI2_vak2Fve/view",
"https://threatmon.io/mars-stealer-malware-analysis-2022/",
"https://threatmon.io/storage/mars-stealer-malware-analysis-2022.pdf",
"https://3xp0rt.com/posts/mars-stealer/forum.png"
]
},
"related": [
{
"dest-uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "successor-of"
}
],
"uuid": "64e51712-89d6-4c91-98ac-8907eafe98c6",
"value": "Mars Stealer"
},
{
"description": "The Oski stealer is a malicious information stealer, which was first introduced in November 2019. As the name implies, the Oski stealer steals personal and sensitive information from its target. “Oski” is derived from an old Nordic word meaning Viking warrior, which is quite fitting considering this popular info-stealer is extremely effective at pillaging privileged information from its victims.",
"meta": {
"refs": [
"https://malpedia.caad.fkie.fraunhofer.de/details/win.oski",
"https://twitter.com/albertzsigovits/status/1160874557454131200",
"https://www.bitdefender.com/blog/labs/",
"https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer",
"https://medium.com/shallvhack/oski-stealer-a-credential-theft-malware-b9bba5164601",
"https://yoroi.company/en/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/",
"https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view",
"https://www.rapid7.com/solutions/unified-mdr-xdr-vm/",
"https://3xp0rt.com/posts/mars-stealer/",
"https://cyberint.com/blog/research/mars-stealer/",
"https://isc.sans.edu/diary/Arkei+Variants%3A+From+Vidar+to+Mars+Stealer/28468"
]
},
"uuid": "54b61c7e-8ced-4b90-a295-62102bfd4f32",
"value": "Oski Stealer"
} }
], ],
"version": 13 "version": 14
} }