Overview
overview
10Static
static
10MoonSteale...er.exe
windows7-x64
10MoonSteale...er.exe
windows10-2004-x64
10MoonSteale...px.exe
windows7-x64
5MoonSteale...px.exe
windows10-2004-x64
5MoonSteale...der.py
windows7-x64
3MoonSteale...der.py
windows10-2004-x64
3MoonSteale...ll.bat
windows7-x64
10MoonSteale...ll.bat
windows10-2004-x64
10MoonSteale...ain.py
windows7-x64
3MoonSteale...ain.py
windows10-2004-x64
3MoonSteale...rt.bat
windows7-x64
1MoonSteale...rt.bat
windows10-2004-x64
1Resubmissions
01-12-2024 17:26
241201-vzv89sxjf1 10Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-12-2024 17:26
Behavioral task
behavioral1
Sample
MoonStealer-main/MoonStealer_assets/upx/updater.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MoonStealer-main/MoonStealer_assets/upx/updater.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
MoonStealer-main/MoonStealer_assets/upx/upx.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MoonStealer-main/MoonStealer_assets/upx/upx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
MoonStealer-main/builder.py
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
MoonStealer-main/builder.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
MoonStealer-main/install.bat
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
MoonStealer-main/install.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
MoonStealer-main/main.py
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
MoonStealer-main/main.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
MoonStealer-main/start.bat
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
MoonStealer-main/start.bat
Resource
win10v2004-20241007-en
General
-
Target
MoonStealer-main/builder.py
-
Size
6KB
-
MD5
48d51f59c5177750328641c797c0f478
-
SHA1
618ccea3f2ae5e435430e779579f9cd2c84c1dd2
-
SHA256
8d84f48da564d51a2ca621554179e82f9bf12ca5db097977a2146b373c6fad32
-
SHA512
918ff4b93338e9c75542b04c3bd1ba12b5562660d64eca679e9bc782bf8a81ea31efdfa779e270a96f2da641e694a86a0e0d433d9bfb95c70bd72d3051396ead
-
SSDEEP
96:SFvQsZlbpdIV9ll+zVHJllFSYUCSPlbpdIV1ll+zVHRllFiYbRZfY7DGZ2we8Gzo:IZlbpd8QztMPlbpd8IztbZf0GZzjv4A7
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2544 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 2544 AcroRd32.exe 2544 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 2328 wrote to memory of 2228 2328 cmd.exe 32 PID 2328 wrote to memory of 2228 2328 cmd.exe 32 PID 2328 wrote to memory of 2228 2328 cmd.exe 32 PID 2228 wrote to memory of 2544 2228 rundll32.exe 33 PID 2228 wrote to memory of 2544 2228 rundll32.exe 33 PID 2228 wrote to memory of 2544 2228 rundll32.exe 33 PID 2228 wrote to memory of 2544 2228 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\builder.py1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\builder.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\builder.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5ddb4069e836588bd360156d2914aabbb
SHA1fa1cfe5135107de6a282516952ae5ea310046dd2
SHA25694a65efbfae0eba0ad8a7035274534161f6ee022fd2a5063d59a3b2ab4c77328
SHA51222e01dbbca574cbc024e15633ab5b006a61446e98a2396cd633e0e759023f3e804d0d3c5f5d79f4f33fffe884520c5fc964d248bdf221bd5c196122dfbb81781