monster | f8f81e9b7b349541d1dd6e990306f839ba1f2a7924630c14edd39b018ff5b8b5

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mining Crypto.exe
Size

11.0MB
MD5

c5bace275f9037e6e64819e3e2dac6e5
SHA1

8f55715751f2cc7231bb2593eacc15ee49edb09d
SHA256

f8f81e9b7b349541d1dd6e990306f839ba1f2a7924630c14edd39b018ff5b8b5
SHA512

0e8cbb735acfed0145603ebddbe1be5e02dd5e79cc6277fbd4e9c7a617b1790db80e1a886e732934e868ff24a5fb184a8c492c47dd32065ada5e3a2589a70803
SSDEEP

196608:F1Wx18CmQ6ADFxwNpp1v7QFpsslzon4s0D7uKj00qgDyp4EA2EQ2nEEgh:vA18CmUFSNpjcesla4s0DCB7NMEE

Score

10^/10

monster stealer

Malware Config

Signatures

Detects Monster Stealer. 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001870f-37.dat	family_monster
behavioral1/memory/2472-40-0x000000013F8F0000-0x0000000140B26000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster

Executes dropped EXE 1 IoCs

pid	Process
2472	stub.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	Mining Crypto.exe
2472	stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2472	2552	Mining Crypto.exe	30
PID 2552 wrote to memory of 2472	2552	Mining Crypto.exe	30
PID 2552 wrote to memory of 2472	2552	Mining Crypto.exe	30

C:\Users\Admin\AppData\Local\Temp\Mining Crypto.exe
"C:\Users\Admin\AppData\Local\Temp\Mining Crypto.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\onefile_2552_133654868455978000\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\Mining Crypto.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2552_133654868455978000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2552_133654868455978000\stub.exe

Filesize
17.9MB

MD5
6670b9a06b5ab7fb49ca6d5e56f43be0

SHA1
8d5cf860b24a4b5a10e3b0fd431df823836c97c5

SHA256
17a9b376d9eeeb3bf20a25629f6724540c3f6dbbf24672204e1a8e50b79f45df

SHA512
30da6a2c4d98b4ca24f694030d33d5d8e252109f0c187d2a7482fc45747d6d1f24170643f4a414310f5f5fa71be3109b796338d376d880481c5316a4b0b87c6c

Download Submit
memory/2472-40-0x000000013F8F0000-0x0000000140B26000-memory.dmp

Filesize
18.2MB

Download
memory/2552-75-0x000000013F090000-0x000000013FBA7000-memory.dmp

Filesize
11.1MB

Download