monster | d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe
Size

10.7MB
MD5

6b1eb54b0153066ddbe5595a58e40536
SHA1

adf81c3104e5d62853fa82c2bd9b0a5becb4589a
SHA256

d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8
SHA512

104faaa4085c9173274d4e0e468eaf75fb22c4cfe38226e4594e6aa0a1dcb148bde7e5e0756b664f14b680872d2476340ebd69fac883d8e99b20acfb5f5dbf04
SSDEEP

196608:ys+j9q6y7PuZANM3FEAIVqUkzgPyzKM+1t02mY1q6vgC5xU7BlUdinrDRQF6f1:yNBly7PumMtgqUTKt2mYtvggGBa4nr1h

Score

10^/10

monster stealer

Malware Config

Signatures

Detects Monster Stealer. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\onefile_1952_133650277086660000\stub.exe	family_monster
behavioral1/memory/2072-40-0x000000013F750000-0x000000014098E000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Executes dropped EXE 1 IoCs

Processes:

stub.exe

pid process

2072 stub.exe
Loads dropped DLL 2 IoCs

Processes:

d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exestub.exe

pid process

1952 d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe
2072 stub.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2072	stub.exe

pid	process
1952	d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe
2072	stub.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe

description	pid	process	target process
PID 1952 wrote to memory of 2072	1952	d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe	stub.exe
PID 1952 wrote to memory of 2072	1952	d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe	stub.exe
PID 1952 wrote to memory of 2072	1952	d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe	stub.exe

C:\Users\Admin\AppData\Local\Temp\d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe
"C:\Users\Admin\AppData\Local\Temp\d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\onefile_1952_133650277086660000\stub.exe
"C:\Users\Admin\AppData\Local\Temp\d39627a497bf5f7e89642ef14bb0134193bc12ad18a2eadddf305c4f8d69b0b8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1952_133650277086660000\stub.exe
Filesize
18.0MB

MD5
f0587004f479243c18d0ccff0665d7f6

SHA1
b3014badadfffdd6be2931a77a9df4673750fee7

SHA256
8ce148c264ce50e64ab866e34759de81b816a3f54b21c3426513bed3f239649a

SHA512
6dedaa729ee93520907ce46054f0573fb887ac0890bea9d1d22382e9d05f8c14a8c151fe2061a0ec1dae791b13752e0fbc00ccc85838caa7524edba35d469434

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1952_133650277086660000\python310.dll
Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
memory/1952-75-0x000000013FE60000-0x0000000140938000-memory.dmp

Filesize
10.8MB

Download
memory/2072-40-0x000000013F750000-0x000000014098E000-memory.dmp

Filesize
18.2MB

Download