Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe
Resource
win10v2004-20240704-en
General
-
Target
SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe
-
Size
10.7MB
-
MD5
6b1eb54b0153066ddbe5595a58e40536
-
SHA1
adf81c3104e5d62853fa82c2bd9b0a5becb4589a
-
SHA256
d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8
-
SHA512
104faaa4085c9173274d4e0e468eaf75fb22c4cfe38226e4594e6aa0a1dcb148bde7e5e0756b664f14b680872d2476340ebd69fac883d8e99b20acfb5f5dbf04
-
SSDEEP
196608:ys+j9q6y7PuZANM3FEAIVqUkzgPyzKM+1t02mY1q6vgC5xU7BlUdinrDRQF6f1:yNBly7PumMtgqUTKt2mYtvggGBa4nr1h
Malware Config
Signatures
-
Detects Monster Stealer. 2 IoCs
resource yara_rule behavioral1/files/0x0038000000013adc-35.dat family_monster behavioral1/memory/2672-40-0x000000013F4E0000-0x000000014071E000-memory.dmp family_monster -
Executes dropped EXE 1 IoCs
pid Process 2672 stub.exe -
Loads dropped DLL 2 IoCs
pid Process 1708 SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe 2672 stub.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2672 1708 SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe 28 PID 1708 wrote to memory of 2672 1708 SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe 28 PID 1708 wrote to memory of 2672 1708 SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\onefile_1708_133649152825146000\stub.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Python.Stealer.1548.11147.30861.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD5c80b5cb43e5fe7948c3562c1fff1254e
SHA1f73cb1fb9445c96ecd56b984a1822e502e71ab9d
SHA256058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20
SHA512faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81
-
Filesize
18.0MB
MD5f0587004f479243c18d0ccff0665d7f6
SHA1b3014badadfffdd6be2931a77a9df4673750fee7
SHA2568ce148c264ce50e64ab866e34759de81b816a3f54b21c3426513bed3f239649a
SHA5126dedaa729ee93520907ce46054f0573fb887ac0890bea9d1d22382e9d05f8c14a8c151fe2061a0ec1dae791b13752e0fbc00ccc85838caa7524edba35d469434