New Marsilia Ransomware Downloader Found



This week, the SonicWall Capture Labs threat research team analyzed a sample of Marsilia malware, also known as Mallox. This is a multi-stage sample that, when functional, will have a first stage that enumerates system information and creates persistence. The second stage is then downloaded and will perform data extraction and encryption for ransomware purposes.

Technical Analysis

The sample is detected as a .NET binary protected with SmartAssembly, although the main parts of the files’ operations are still in plaintext.

Figure 1: Sample detection

Figure 2: Plaintext address in strings

Running de4dot to remove SmartAssembly changes very little in terms of function readability.

Figure 3: Before (red) and after (green) deobfuscation

During runtime, the malware will query the system volumes and install persistence using the following registry key:

‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate’ .

Language, locale, and security (WMI) registry keys are enumerated through as well as application logs for virtual environment strings. During testing, most keys were not on the target system. The application sets the threads in memory with write watch and enables debug mode to check for analysis tools. It can also sleep for extensive periods as an evasion technique.

Figure 4: Sample will enumerate through languages, locales

Figure 5: Using WMI to enumerate for system applications and devices

Figure 6: Time to sleep after sustained connection failure, in seconds

During testing, the sample bound itself to ports 49729 – 49970 and reached out to the following address:

  • https://transfer[.]sh/get/LCRJGyiNOh/Muyjskpj.mp4

A connection is established and the malware will attempt to connect constantly. At the time of writing, this page currently results in a 403/Not Found and does not download a payload.

Figure 7: Active connection established

Figure 8: Sample attempts a connection multiple times per second

Figure 9: Directly going to the page leads to a ‘Not Found’ page

However, when the sample is not running, the connection is actively refused. This indicates that the ‘Not Found’ page is likely activated and not an actual 403/Not Found page. OSINT research shows that the IP has been used with a variety of other malware families, including AgentTesla, XmRig, AveMaria and others.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • MalAgent.Marsilia


  • 36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7
  • http://transfer[.]sh/get/LCRJGyiNOh/Muyjskpj.mp4
  • http://163.5.169[.]28/cmt.exe
  • http://163.5.64[.]41/test.exe
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.