DOI: https://doi.org/10.33994/kndise.2023.68.46

I. Starenkyi, O. Donchenko

The purpose of this work is to use an experimentally way to determine the characteristic features of the use of the software «Mars Stealer», which is positioned as a software product of the «Stealer» type, which is contained in the memory among the available and deleted data of the information storage device.
The following conclusions can be drawn on the basis of the conducted experiment:

1. Autopsy» software is a good tool for trying to reproduce and trace the events and processes that took place on the storage device;
2. By studying the events and processes in the memory of the information storage, it was possible to establish the sequence of actions of the expert to detect the executable file(s) of third-party software that may be malicious;
3. In the case when the research of the detected executable build file is not carried out immediately after receiving the research objects, but after a certain time, for example, within 90 calendar days, there is a high probability of «losing» communication with the C2 server, which the build – file calls. But, in order to establish the IP address to which the file-initiator try to connect on the affected computer, it is recommended to repeatedly run the build-file (this may increase the chances of detecting the IP address of the C2 server) while simultaneously monitoring the Internet traffic, which will go through a virtual machine;
4. The executing file-initiator on the affected PC by the «Mars Stealer» software, even if there is an error in its work, will be «forced» to save the information collected on the affected PC in the root directory of the location of the Build file itself;
5. Based on the results of the work carried out, it is possible to establish the characteristic features of the use of the «Mars Stealer» software, which is positioned as a «stealer» type of software, which include logging the number of launches of the executing Build-file, and interaction with the folders of WEB browsers installed in the memory storage of information, as well as interaction with a large number of libraries.
6. The obtained results of the experiment given in this paper can be used when conducting examinations in the expert speciality 10.9 «Research of computer equipment and software products», in the study of information storage devices, among the available and deleted data of which information about samples of executable files of the «Mars Stealer» software, which is confirmed by the evidence collected during the examination.

Key words: digital media, image, file, stealer, software, operating system, virtual machine.