monster | f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe
Size

10.7MB
MD5

c616f203d102449f4f786727edd6db3f
SHA1

9dc74f2c0a6efc257636c2d6756002c132ed8c52
SHA256

f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba
SHA512

92f0f420da9085bb10b61a0a490a8ec918a83d2e9536ca384d728f297bb886e04269855dbb5506b0b73b46962b249219497700c60d6d6a88da3c0f91d0c30fd2
SSDEEP

196608:NmgBp37/NHPAj3DxH9pIpwQcfjunH6Z0sU+FNuQ4zOZ+1ak3Yzb5:QkFNHPAj3D1EwQcfqHwUaMrz5aP/

Score

10^/10

monster stealer

Malware Config

Signatures

Detects Monster Stealer. 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016c4a-35.dat	family_monster
behavioral1/memory/1220-40-0x000000013FC00000-0x0000000140E35000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Monster family
monster

Executes dropped EXE 1 IoCs

Processes:

stub.exe

pid	Process
1220	stub.exe

Loads dropped DLL 2 IoCs

Processes:

f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exestub.exe

pid	Process
2700	f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe
1220	stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe

description	pid	Process	procid_target
PID 2700 wrote to memory of 1220	2700	f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe	31
PID 2700 wrote to memory of 1220	2700	f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe	31
PID 2700 wrote to memory of 1220	2700	f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe	31

C:\Users\Admin\AppData\Local\Temp\f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe
"C:\Users\Admin\AppData\Local\Temp\f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\onefile_2700_133746174384898000\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\f75c4968c6d2020b5d027692fdefc58b334a95b5ee948f43d81207e7419e9eba.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2700_133746174384898000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2700_133746174384898000\stub.exe

Filesize
17.9MB

MD5
709a0098a1450a418caad159c16cd178

SHA1
680ca411bc2be955b310704b2062e0b59e208d54

SHA256
00841852b450e83babdab78306af91f1c9bbdb0bf9d574831abbf28dc9620d2b

SHA512
1c7117cd6926ea59f7cde3b756912d6e7127d2d1c210b7298284f15b742da6a7c3158f371544cfec1dc151fc6081d2d43fa3ba961f51c7a778c1043e79d137c6

Download Submit
memory/1220-40-0x000000013FC00000-0x0000000140E35000-memory.dmp

Filesize
18.2MB

Download
memory/2700-75-0x000000013F460000-0x000000013FF35000-memory.dmp

Filesize
10.8MB

Download