Spy

Spyware.MarsStealer information

Malware Removal

The Spyware.MarsStealer is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Spyware.MarsStealer virus can do?

  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Guard pages use detected – possible anti-debugging.
  • Dynamic (imported) function loading detected
  • Performs HTTP requests potentially not found in PCAP.
  • Reads data out of its own binary image
  • CAPE extracted potentially suspicious content
  • The binary contains an unknown PE section name indicative of packing
  • Authenticode signature is invalid
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Attempts to modify proxy settings

How to determine Spyware.MarsStealer?


File Info:

name: 1E4F74252C35A43C4086.mlw
path: /opt/CAPEv2/storage/binaries/1fb1244bbc75553e090acf7f1dfc01f4283b428ac966364fad0d95bd1b967e61
crc32: 042F5B6A
md5: 1e4f74252c35a43c4086090b4484708e
sha1: dd2f40aa4ffbec6c85d92299a41dfad612157ec5
sha256: 1fb1244bbc75553e090acf7f1dfc01f4283b428ac966364fad0d95bd1b967e61
sha512: 41b08c7a2cf88975ea27737efa2413e7cd3686896faa95bd1de7f1ce11da7842ce2ed218ed6cb3daaf6be5fb67dbae85faa3f2cf0284a3f70052088cda0b19b4
ssdeep: 24576:mRXRg6uxJ5XbQk9wjhL2lYWmQm1uNV3fWWXz2+x5XzS8bWDzJhRUCh:RHsl1aJSmjS8bTCh
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T13845AE10F2E0C93AE1B6197C9C2BFAE5562DFE01BFB8940B3EE44F4E5A315403865697
sha3_384: e4d7eda3037121f4f6c78ca53888f9fef2ad9baf199b8f6c8886f0c25e35b6e45d2a99b101f2ac8ce50ab9af62ff253f
ep_bytes: 558bec83c4e033c08945e08945e48945
timestamp: 2022-05-04 20:54:28

Version Info:

0: [No Data]

Spyware.MarsStealer also known as:

LionicTrojan.Win32.Buzus.lD44
DrWebTrojan.PWS.Stealer.32841
MicroWorld-eScanGen:Trojan.Heur.lLZ@VF2V!eii
ALYacGen:Trojan.Heur.lLZ@VF2V!eii
CylanceUnsafe
SangforTrojan.Win32.Heur.lLZ@VF2V!eii
K7AntiVirusPassword-Stealer ( 0057f6e51 )
BitDefenderGen:Trojan.Heur.lLZ@VF2V!eii
K7GWPassword-Stealer ( 0057f6e51 )
Cybereasonmalicious.52c35a
BitDefenderThetaAI:Packer.F6174A961C
CyrenW32/DelfInject.A.gen!Eldorado
SymantecML.Attribute.HighConfidence
Elasticmalicious (high confidence)
ESET-NOD32a variant of Win32/PSW.Agent.OMJ
APEXMalicious
Paloaltogeneric.ml
KasperskyHEUR:Trojan-PSW.Win32.Coins.gen
AlibabaTrojan:Win32/DelfInject.ali2000015
NANO-AntivirusVirus.Win32.Gen.ccmw
ViRobotTrojan.Win32.Z.Agent.1241096
TencentMalware.Win32.Gencirc.11f33780
Ad-AwareGen:Trojan.Heur.lLZ@VF2V!eii
SophosMal/Generic-S + Troj/Agent-NRE
TrendMicroTROJ_GEN.R002C0RE422
McAfee-GW-EditionBehavesLike.Win32.ExploitMydoom.th
FireEyeGeneric.mg.1e4f74252c35a43c
EmsisoftGen:Trojan.Heur.lLZ@VF2V!eii (B)
SentinelOneStatic AI – Suspicious PE
AviraTR/Crypt.XPACK.Gen
MAXmalware (ai score=86)
MicrosoftTrojan:Win32/Wacatac.B!ml
ArcabitTrojan.Heur.E334F8
ZoneAlarmHEUR:Trojan-PSW.Win32.Coins.gen
GDataGen:Trojan.Heur.lLZ@VF2V!eii
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win.Generic.C5117799
McAfeeArtemis!1E4F74252C35
MalwarebytesSpyware.MarsStealer
TrendMicro-HouseCallTROJ_GEN.R002C0RE422
RisingStealer.Agent!8.C2 (CLOUD)
IkarusTrojan.Win32.Jorik
FortinetW32/Buzus.AHR!tr
AVGWin32:PWSX-gen [Trj]
AvastWin32:PWSX-gen [Trj]
CrowdStrikewin/malicious_confidence_100% (W)

How to remove Spyware.MarsStealer?

Spyware.MarsStealer removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment