monster | 0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665

Resubmissions

12/07/2024, 17:20

240712-vwmsqavenb 10

12/07/2024, 16:06

240712-tj8zra1bnq 10

Analysis

max time kernel
1559s
max time network
1561s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

monster.exe
Size

10.7MB
MD5

3f4f5c57433724a32b7498b6a2c91bf0
SHA1

04757ff666e1afa31679dd6bed4ed3af671332a3
SHA256

0608a7559f895fab33ae65bbfbdc5bebd21eea984f76e1b5571c80906824d665
SHA512

cf572ca616b4f4e6e472e33e8d6d90b85d5885fa64d8bca4507450d66d65057efa771f58c31ea13f394fd0e7b0ff2fcaa9d54c61f28b27b98a79c27bc964f935
SSDEEP

196608:mRu4YAJSAfoaqA6U+L5LsSmyYbH6t08RMQcCqcGUIRBw0xvH77Y:2u4YAJSAfoaZ0sSmpH6W8R/RVIc2vH7

Score

10^/10

monster stealer

Malware Config

Signatures

Detects Monster Stealer. 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015e4e-35.dat	family_monster
behavioral1/memory/1572-40-0x000000013FAF0000-0x0000000140D2F000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster

Executes dropped EXE 1 IoCs

pid	Process
1572	stub.exe

Loads dropped DLL 2 IoCs

pid	Process
1604	monster.exe
1572	stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1572	1604	monster.exe	28
PID 1604 wrote to memory of 1572	1604	monster.exe	28
PID 1604 wrote to memory of 1572	1604	monster.exe	28

C:\Users\Admin\AppData\Local\Temp\monster.exe
"C:\Users\Admin\AppData\Local\Temp\monster.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\onefile_1604_133652796704316000\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\monster.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_1604_133652796704316000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_1604_133652796704316000\stub.exe

Filesize
18.0MB

MD5
ed9d600d2e640eaa1c915dc516da9988

SHA1
9c10629bc0255009434e64deaee5b898fc3711e2

SHA256
2b8a2a3c53a019ca674287e1513a8e0851f2181699e37f385541537801ed1d41

SHA512
9001454bfabf2d9621ad997726aad281638c4b2e8dc134994f479d391bae91c5d0aa24317e85e8e91956cc34357e1ed9d6682f2fe9a023d74b003a420325db68

Download Submit
memory/1572-40-0x000000013FAF0000-0x0000000140D2F000-memory.dmp

Filesize
18.2MB

Download
memory/1604-75-0x000000013FDF0000-0x00000001408C8000-memory.dmp

Filesize
10.8MB

Download