monster | 8ea36ccb6d0bac58664a245ba7ab5a9ebb6ba444985b9bea5cf201699cc3871c

Analysis

max time kernel
14s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c.exe
Size

10.7MB
MD5

46cc1157f7333d7473e18467dfdad3ff
SHA1

2b962692c1ff004b5a48d9f4d697b3c293095b27
SHA256

614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c
SHA512

484326b404f75156c75aed68db74a5e331955cca509f0c73c77652f0b6f40dc9a8573ffaeb69c9e96a549b36664226aeead3bed4692a3002acdbe6b8df541921
SSDEEP

196608:JJTgBp37/NHq8B29LJEKWzJhRWY6Z0sU+FNuQ4zOZ+1ak3Yzb5:J1kFNHo+1bWYwUaMrz5aP/

Score

10^/10

monster stealer

Malware Config

Signatures

Detects Monster Stealer. 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018b50-35.dat	family_monster
behavioral1/memory/2844-40-0x000000013F370000-0x00000001405A5000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Monster family
monster

Executes dropped EXE 1 IoCs

pid	Process
2844	stub.exe

Loads dropped DLL 2 IoCs

pid	Process
2388	614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c.exe
2844	stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2844	2388	614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c.exe	29
PID 2388 wrote to memory of 2844	2388	614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c.exe	29
PID 2388 wrote to memory of 2844	2388	614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c.exe	29

C:\Users\Admin\AppData\Local\Temp\614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c.exe
"C:\Users\Admin\AppData\Local\Temp\614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\onefile_2388_133746157893548000\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\614ca907b16795bc293bf411af21b955c0ea47583dd4a5c659f7e00637d26b3c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2388_133746157893548000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2388_133746157893548000\stub.exe

Filesize
17.9MB

MD5
25fe249340a1d896ef126f0abd24090e

SHA1
cf87003008616e0f581a8a4a9dbae2306424121d

SHA256
acec790bd89e1cec3d629c1bb1ee2a99c392c75f32ccdb1dcc25babf775c043a

SHA512
01d85430a75d6481ce883ae85dcf70f9f07ec41b6fe1c9b62ac223ce865e45c2a08c262ceace51bf358773ce5372fecc4d1d893b63fdc8f18f133869ed319a48

Download Submit
memory/2388-75-0x000000013F4A0000-0x000000013FF75000-memory.dmp

Filesize
10.8MB

Download
memory/2844-40-0x000000013F370000-0x00000001405A5000-memory.dmp

Filesize
18.2MB

Download