General

  • Target

    18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e.exe

  • Size

    10.7MB

  • Sample

    241103-csbbea1qay

  • MD5

    2cb47309bb7dde63256835d5c872b2f9

  • SHA1

    8baa9effc09cf80b4a1bac1aa2aa92b38c812f1d

  • SHA256

    18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e

  • SHA512

    3db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104

  • SSDEEP

    196608:0fz2+H2MV7hNz9MAW6gqN7jurlhL3UfwtkABUZsNp24A2kfDhdGBeIz4:8n2MV9NZMAZgqNHupNkfEkABUSnjQF8

Malware Config

Targets

    • Target

      18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e.exe

    • Size

      10.7MB

    • MD5

      2cb47309bb7dde63256835d5c872b2f9

    • SHA1

      8baa9effc09cf80b4a1bac1aa2aa92b38c812f1d

    • SHA256

      18687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e

    • SHA512

      3db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104

    • SSDEEP

      196608:0fz2+H2MV7hNz9MAW6gqN7jurlhL3UfwtkABUZsNp24A2kfDhdGBeIz4:8n2MV9NZMAZgqNHupNkfEkABUSnjQF8

    • Detects Monster Stealer.

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

    • Exelastealer family

    • Monster

      Monster is a Golang stealer that was discovered in 2024.

    • Monster family

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Enumerates processes with tasklist

    • Hide Artifacts: Hidden Files and Directories

MITRE ATT&CK Enterprise v15

Tasks