monster | 7870eda6f78bde1ea7c083ddf32a9aabd118b30f6b8617f4b9e6625edba0ff95

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win64.Evo-gen.11830.exe
Size

10.5MB
MD5

7fffe8702479239234bce6013bcad409
SHA1

ee7aaecaeff869350ead69c907b77d5b0afd3f09
SHA256

7870eda6f78bde1ea7c083ddf32a9aabd118b30f6b8617f4b9e6625edba0ff95
SHA512

8d5932d1fa8006c73e8576383425151439b4bf4637017f104a6c4e5cf202ce1c4a1dbec6d61adb794fd8a30c1300d6635d162df8630f9193c96239ec8b2a6869
SSDEEP

196608:F2f7uyka/QRjnlhNitMYQRs53WiJ4HO7tyc95Gwp+IUos1Ak+rqBdS4Kcm6PJ:F2FEj3omDRs9peutycqOye2H/KclPJ

Score

10^/10

monster stealer

Malware Config

Signatures

Detects Monster Stealer. 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0008000000015ed2-37.dat	family_monster
behavioral1/memory/2608-40-0x000000013F130000-0x0000000140156000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Monster family
monster

Executes dropped EXE 1 IoCs

Processes:

stub.exe

pid	Process
2608	stub.exe

Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Win64.Evo-gen.11830.exestub.exe

pid	Process
2788	SecuriteInfo.com.Win64.Evo-gen.11830.exe
2608	stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SecuriteInfo.com.Win64.Evo-gen.11830.exe

description	pid	Process	procid_target
PID 2788 wrote to memory of 2608	2788	SecuriteInfo.com.Win64.Evo-gen.11830.exe	31
PID 2788 wrote to memory of 2608	2788	SecuriteInfo.com.Win64.Evo-gen.11830.exe	31
PID 2788 wrote to memory of 2608	2788	SecuriteInfo.com.Win64.Evo-gen.11830.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.11830.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.11830.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\onefile_2788_133746182774686000\stub.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.11830.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\onefile_2788_133746182774686000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2788_133746182774686000\stub.exe

Filesize
15.9MB

MD5
1f4bbcf45463611b2321a428424e71ff

SHA1
102b8883177489e69964822db3adc4bb3ddba2b5

SHA256
1f0ad6f7003fbd3e3e8ebeb0e179ffd8b9ce43f0914b1041136c6603eaa6ebb2

SHA512
3613d74999fd7eedbe73ddb63f65529475a432b9203fd86b0f88b45ebff0d2e9192b27ce1c24f4e42eaee0c331bfea34a90764482990b5f2424c0f980c50a44a

Download Submit
memory/2608-40-0x000000013F130000-0x0000000140156000-memory.dmp

Filesize
16.1MB

Download
memory/2788-75-0x000000013FEB0000-0x0000000140957000-memory.dmp

Filesize
10.7MB

Download