Threat Research

Mars Stealer: Oski refactoring

Securonix

Mars Stealer is an upgraded variant of Oski Stealer with added anti-analysis and credential theft capabilities, including browser and crypto wallet data harvesting, plus a modular downloader and self-removal mechanism. It uses encrypted strings, runtime API resolution, and a C2 server (cookreceipts.fun) to fetch payloads and exfiltrate data. #MarsStealer #OskiStealer #cookreceipts.fun

Keypoints

  • Mars Stealer is described as an upgraded version of Oski Stealer, with anti-debug, anti-emulation, and code refactoring enhancements.
  • It targets a wide range of browsers (Chromium-based and others) and crypto wallets, stealing browser data and wallet files.
  • The malware uses a grabber to fetch configuration from C2, then a loader to download and execute additional payloads; it downloads dependencies (6 requests) via WinINet.
  • Strings are encrypted (RC4 and Base64) with a decryption key stored in the decrypt_key variable, and API addresses are resolved at runtime (no CRT/STD usage).
  • Anti-analysis checks include anti-emulation (HAL9TH/JohnDoe checks) and language/region checks to avoid CIS-targeted machines.
  • Self-protection features include a mutex to prevent multiple instances and an expiration check based on compilation date, followed by self-deletion if conditions are met.

MITRE Techniques

  • [T1059.003] Windows Command Shell – The malware calls ShellExecuteExA() to execute a downloaded executable; includes using cmd.exe with /c timeout /t 5 and del commands for self-removal.
  • [T1070.004] File Deletion – The code executes a command to delete the current executable after a delay.
  • [T1027] Obfuscated/Encrypted Files and Information – Most strings are encrypted using RC4 and Base64 with a decryption key embedded.
  • [T1497] Virtualization/Sandbox Evasion – Anti-emulation checks and environment checks (e.g., comparing computer name and username).
  • [T1082] System Information Discovery – Collects IP, country, computer/user names, machine IDs, installed software, and other system details.
  • [T1105] Ingress Tool Transfer – Downloads dependencies from the C2 (WinINet), including sqlite3.dll prior to browser credential theft.
  • [T1552.001] Credentials in Files – Steals from wallet-related files (e.g., wallet.dat) containing addresses and private keys.
  • [T1555.003] Credentials from Web Browsers – Steals browser credentials from Chromium/Gecko-based browsers via static paths.
  • [T1041] Exfiltration: Exfiltration Over C2 Channel – Uploads logs/config data back to the C2 during operation.

Indicators of Compromise

  • [Domain] cookreceipts.fun – C2 domain used by Mars Stealer to fetch config and payloads.
  • [File] wallet.dat – Wallet data file containing addresses and private keys; example wallet-related files: exodus.conf.json and other wallet files (wallet data context).
  • [File] exodus.conf.json – Exodus wallet configuration file observed among targeted wallet entries.
  • [File] Exodusexodus.wallet, passphrase.json, seed.seco, info.seco – additional wallet-related files referenced in the sample.

Read more: https://3xp0rt.com/posts/mars-stealer