Overview
overview
10Static
static
10MoonSteale...er.exe
windows7-x64
10MoonSteale...er.exe
windows10-2004-x64
10MoonSteale...px.exe
windows7-x64
5MoonSteale...px.exe
windows10-2004-x64
5MoonSteale...der.py
windows7-x64
3MoonSteale...der.py
windows10-2004-x64
3MoonSteale...ll.bat
windows7-x64
10MoonSteale...ll.bat
windows10-2004-x64
10MoonSteale...ain.py
windows7-x64
3MoonSteale...ain.py
windows10-2004-x64
3MoonSteale...rt.bat
windows7-x64
1MoonSteale...rt.bat
windows10-2004-x64
1Resubmissions
01-12-2024 17:26
241201-vzv89sxjf1 10Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-12-2024 17:26
Behavioral task
behavioral1
Sample
MoonStealer-main/MoonStealer_assets/upx/updater.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
MoonStealer-main/MoonStealer_assets/upx/updater.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
MoonStealer-main/MoonStealer_assets/upx/upx.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MoonStealer-main/MoonStealer_assets/upx/upx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
MoonStealer-main/builder.py
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
MoonStealer-main/builder.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
MoonStealer-main/install.bat
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
MoonStealer-main/install.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
MoonStealer-main/main.py
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
MoonStealer-main/main.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
MoonStealer-main/start.bat
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
MoonStealer-main/start.bat
Resource
win10v2004-20241007-en
General
-
Target
MoonStealer-main/main.py
-
Size
48KB
-
MD5
ce6bbfc8f624a0590495fce46648d3f7
-
SHA1
182880bb1eccc344455228afe6eabc28b0d25875
-
SHA256
f4c4c2476408c644b2aebf613d42ef361e2a5630c7a62c505bf4c319aace6293
-
SHA512
2cb207f86bd64ae448e26d456a9970bec46d7e196209983a9e1c822136248b6c4795bad4b58809d4cf1a74bdd46d5e7ff56b0c2933e5a94dffd7e414284ea58f
-
SSDEEP
768:gDaj4Pvv8PZmsyhTuVJ7AWyykW2WMWLWLWLWQW7WP2uL12oqcW7WFufQtRPPWMCd:yaj4Pvv8PjyhCV1T2aRtufK8MK
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AcroRd32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid Process 2736 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid Process 2736 AcroRd32.exe 2736 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid Process procid_target PID 2512 wrote to memory of 1996 2512 cmd.exe 32 PID 2512 wrote to memory of 1996 2512 cmd.exe 32 PID 2512 wrote to memory of 1996 2512 cmd.exe 32 PID 1996 wrote to memory of 2736 1996 rundll32.exe 33 PID 1996 wrote to memory of 2736 1996 rundll32.exe 33 PID 1996 wrote to memory of 2736 1996 rundll32.exe 33 PID 1996 wrote to memory of 2736 1996 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD52543a690347ee98273c4d4cb4a244ef7
SHA197f2487ddfe346add480850334bb1ef451fd5fc3
SHA256222e1ee644d0596027a4d0cbddf3d1cc1a26d9d5f3f3f8a7ca7983be57d7cc1e
SHA51209e73a16759636a5935d35c60f01ababd6c0dadf9667bf5838282dc178f60180bf1243d55995d7b1ba2b548ab171946611d653a2820a272e55f564472c440587