Resubmissions

01-12-2024 17:26

241201-vzv89sxjf1 10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2024 17:26

General

  • Target

    MoonStealer-main/main.py

  • Size

    48KB

  • MD5

    ce6bbfc8f624a0590495fce46648d3f7

  • SHA1

    182880bb1eccc344455228afe6eabc28b0d25875

  • SHA256

    f4c4c2476408c644b2aebf613d42ef361e2a5630c7a62c505bf4c319aace6293

  • SHA512

    2cb207f86bd64ae448e26d456a9970bec46d7e196209983a9e1c822136248b6c4795bad4b58809d4cf1a74bdd46d5e7ff56b0c2933e5a94dffd7e414284ea58f

  • SSDEEP

    768:gDaj4Pvv8PZmsyhTuVJ7AWyykW2WMWLWLWLWQW7WP2uL12oqcW7WFufQtRPPWMCd:yaj4Pvv8PjyhCV1T2aRtufK8MK

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MoonStealer-main\main.py"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    2543a690347ee98273c4d4cb4a244ef7

    SHA1

    97f2487ddfe346add480850334bb1ef451fd5fc3

    SHA256

    222e1ee644d0596027a4d0cbddf3d1cc1a26d9d5f3f3f8a7ca7983be57d7cc1e

    SHA512

    09e73a16759636a5935d35c60f01ababd6c0dadf9667bf5838282dc178f60180bf1243d55995d7b1ba2b548ab171946611d653a2820a272e55f564472c440587