monster | 0a602136ae066c54d87a8d275fab10d34df115b49a3ea580b8c825a6c637a669

General

Target

Bltools 2.9.1 [PRO].exe
Size

14.0MB
MD5

59fa48be8a4b93d5b6264b3f30a42c57
SHA1

35af02f02568cf21d954a79972a3e1b9a88c14c1
SHA256

0a602136ae066c54d87a8d275fab10d34df115b49a3ea580b8c825a6c637a669
SHA512

4ae4485a3daae4cfb703b46ef76b1f9979bdef8e9b21d7d8527a5dd73d88e34c36ec7d08230469cd98981a15ad72104d98acd5ed64ca906282770b141d406065
SSDEEP

393216:jehC8odGNhEge3fk76ni3DuAOTFbXkO/14:yhC9QOp06izuHTFb0O94

Score

10^/10

Malware Config

Signatures

Detects Monster Stealer. 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000174cc-58.dat	family_monster
behavioral1/memory/2620-62-0x000000013F9A0000-0x0000000140BD6000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Monster family
monster

Executes dropped EXE 3 IoCs

pid	Process
2272	XConfig.setup.exe
1564	Settings.exe
2620	stub.exe

Loads dropped DLL 3 IoCs

pid	Process
2596	Bltools 2.9.1 [PRO].exe
1564	Settings.exe
2620	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2272	XConfig.setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XConfig.setup.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2272	2596	Bltools 2.9.1 [PRO].exe	30
PID 2596 wrote to memory of 2272	2596	Bltools 2.9.1 [PRO].exe	30
PID 2596 wrote to memory of 2272	2596	Bltools 2.9.1 [PRO].exe	30
PID 2596 wrote to memory of 2272	2596	Bltools 2.9.1 [PRO].exe	30
PID 2596 wrote to memory of 2272	2596	Bltools 2.9.1 [PRO].exe	30
PID 2596 wrote to memory of 2272	2596	Bltools 2.9.1 [PRO].exe	30
PID 2596 wrote to memory of 2272	2596	Bltools 2.9.1 [PRO].exe	30
PID 2596 wrote to memory of 1564	2596	Bltools 2.9.1 [PRO].exe	31
PID 2596 wrote to memory of 1564	2596	Bltools 2.9.1 [PRO].exe	31
PID 2596 wrote to memory of 1564	2596	Bltools 2.9.1 [PRO].exe	31
PID 1564 wrote to memory of 2620	1564	Settings.exe	32
PID 1564 wrote to memory of 2620	1564	Settings.exe	32
PID 1564 wrote to memory of 2620	1564	Settings.exe	32

C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1 [PRO].exe
"C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1 [PRO].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\XConfig.setup.exe
  "C:\Users\Admin\AppData\Local\Temp\XConfig.setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\Settings.exe
  "C:\Users\Admin\AppData\Local\Temp\Settings.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\onefile_1564_133850847247414000\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Settings.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Settings.exe

Filesize
10.7MB

MD5
f48d8f28e2b8138e30b5031ae90f79f9

SHA1
6c6e00d7a5a295f7814f082c5650070c25e868ab

SHA256
c0e7d1d19d8d48d10db4458cfee55d4926e3bbe72147c8d7e6c0fbd1c33e66ec

SHA512
ea066497681861fa7ce2e7234569415c2621f9a80ef3dc7c86ac8bb382f697025ec87003b28f389e164f64aaccefb950917978772cb6b5a21fd18bf766f1f6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XConfig.setup.exe

Filesize
3.2MB

MD5
025d637741b1b326ded2e99e6b54ed77

SHA1
5fb6a288559f54aeb42203cf5e44a072c74f942f

SHA256
d68b3cdca20f0b871a653a3203e4292846e766b45fb989856a2de0fb9e0c4860

SHA512
720f4f03febbe7fdd661c14349680f6511a69487b0bdf5cd47ab4594b1fad49edeb0bde8e287272d84e21efc916ba91ca71bfa2632eba76e379e07815163d26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133850847247414000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1564_133850847247414000\stub.exe

Filesize
17.9MB

MD5
6670b9a06b5ab7fb49ca6d5e56f43be0

SHA1
8d5cf860b24a4b5a10e3b0fd431df823836c97c5

SHA256
17a9b376d9eeeb3bf20a25629f6724540c3f6dbbf24672204e1a8e50b79f45df

SHA512
30da6a2c4d98b4ca24f694030d33d5d8e252109f0c187d2a7482fc45747d6d1f24170643f4a414310f5f5fa71be3109b796338d376d880481c5316a4b0b87c6c

Download Submit
memory/1564-97-0x000000013F140000-0x000000013FC15000-memory.dmp

Filesize
10.8MB

Download
memory/2272-19-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download
memory/2272-51-0x0000000000180000-0x00000000008D0000-memory.dmp

Filesize
7.3MB

Download
memory/2272-61-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2620-62-0x000000013F9A0000-0x0000000140BD6000-memory.dmp

Filesize
18.2MB

Download

Analysis

Sharing