monster | 912a8bf9175eb19e46272ad9a49a14e192e936df2e2801038778aa58c00de723

Analysis

max time kernel
85s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/02/2025, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bltools 2.9.1[PRO]/Bltools 2.9.1 [PRO].exe
Size

14.0MB
MD5

59fa48be8a4b93d5b6264b3f30a42c57
SHA1

35af02f02568cf21d954a79972a3e1b9a88c14c1
SHA256

0a602136ae066c54d87a8d275fab10d34df115b49a3ea580b8c825a6c637a669
SHA512

4ae4485a3daae4cfb703b46ef76b1f9979bdef8e9b21d7d8527a5dd73d88e34c36ec7d08230469cd98981a15ad72104d98acd5ed64ca906282770b141d406065
SSDEEP

393216:jehC8odGNhEge3fk76ni3DuAOTFbXkO/14:yhC9QOp06izuHTFb0O94

Score

10^/10

monster discovery stealer

Malware Config

Signatures

Detects Monster Stealer. 2 IoCs

resource	yara_rule
behavioral3/files/0x000500000001a3fd-56.dat	family_monster
behavioral3/memory/2848-61-0x000000013F2D0000-0x0000000140506000-memory.dmp	family_monster

Monster
Monster is a Golang stealer that was discovered in 2024.
stealer monster
Monster family
monster

Executes dropped EXE 3 IoCs

pid	Process
1456	XConfig.setup.exe
2912	Settings.exe
2848	stub.exe

Loads dropped DLL 3 IoCs

pid	Process
1628	Bltools 2.9.1 [PRO].exe
2912	Settings.exe
2848	stub.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1456	XConfig.setup.exe
1456	XConfig.setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XConfig.setup.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	XConfig.setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	XConfig.setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	XConfig.setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	XConfig.setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	XConfig.setup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1456	XConfig.setup.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1456	1628	Bltools 2.9.1 [PRO].exe	30
PID 1628 wrote to memory of 1456	1628	Bltools 2.9.1 [PRO].exe	30
PID 1628 wrote to memory of 1456	1628	Bltools 2.9.1 [PRO].exe	30
PID 1628 wrote to memory of 1456	1628	Bltools 2.9.1 [PRO].exe	30
PID 1628 wrote to memory of 1456	1628	Bltools 2.9.1 [PRO].exe	30
PID 1628 wrote to memory of 1456	1628	Bltools 2.9.1 [PRO].exe	30
PID 1628 wrote to memory of 1456	1628	Bltools 2.9.1 [PRO].exe	30
PID 1628 wrote to memory of 2912	1628	Bltools 2.9.1 [PRO].exe	31
PID 1628 wrote to memory of 2912	1628	Bltools 2.9.1 [PRO].exe	31
PID 1628 wrote to memory of 2912	1628	Bltools 2.9.1 [PRO].exe	31
PID 2912 wrote to memory of 2848	2912	Settings.exe	32
PID 2912 wrote to memory of 2848	2912	Settings.exe	32
PID 2912 wrote to memory of 2848	2912	Settings.exe	32

C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\Bltools 2.9.1 [PRO].exe
"C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\Bltools 2.9.1 [PRO].exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\XConfig.setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\XConfig.setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1456
- C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\Settings.exe
  "C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\Settings.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\onefile_2912_133850847886670000\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\Settings.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\XConfig.setup.exe

Filesize
3.2MB

MD5
025d637741b1b326ded2e99e6b54ed77

SHA1
5fb6a288559f54aeb42203cf5e44a072c74f942f

SHA256
d68b3cdca20f0b871a653a3203e4292846e766b45fb989856a2de0fb9e0c4860

SHA512
720f4f03febbe7fdd661c14349680f6511a69487b0bdf5cd47ab4594b1fad49edeb0bde8e287272d84e21efc916ba91ca71bfa2632eba76e379e07815163d26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2912_133850847886670000\python310.dll

Filesize
4.3MB

MD5
c80b5cb43e5fe7948c3562c1fff1254e

SHA1
f73cb1fb9445c96ecd56b984a1822e502e71ab9d

SHA256
058925e4bbfcb460a3c00ec824b8390583baef0c780a7c7ff01d43d9eec45f20

SHA512
faa97a9d5d2a0bf78123f19f8657c24921b907268938c26f79e1df6d667f7bee564259a3a11022e8629996406cda9fa00434bb2b1de3e10b9bddc59708dbad81

Download Submit
\Users\Admin\AppData\Local\Temp\Bltools 2.9.1[PRO]\Settings.exe

Filesize
10.7MB

MD5
f48d8f28e2b8138e30b5031ae90f79f9

SHA1
6c6e00d7a5a295f7814f082c5650070c25e868ab

SHA256
c0e7d1d19d8d48d10db4458cfee55d4926e3bbe72147c8d7e6c0fbd1c33e66ec

SHA512
ea066497681861fa7ce2e7234569415c2621f9a80ef3dc7c86ac8bb382f697025ec87003b28f389e164f64aaccefb950917978772cb6b5a21fd18bf766f1f6a0

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2912_133850847886670000\stub.exe

Filesize
17.9MB

MD5
6670b9a06b5ab7fb49ca6d5e56f43be0

SHA1
8d5cf860b24a4b5a10e3b0fd431df823836c97c5

SHA256
17a9b376d9eeeb3bf20a25629f6724540c3f6dbbf24672204e1a8e50b79f45df

SHA512
30da6a2c4d98b4ca24f694030d33d5d8e252109f0c187d2a7482fc45747d6d1f24170643f4a414310f5f5fa71be3109b796338d376d880481c5316a4b0b87c6c

Download Submit
memory/1456-99-0x00000000005D0000-0x00000000005F4000-memory.dmp

Filesize
144KB

Download
memory/1456-100-0x0000000005A30000-0x000000000635C000-memory.dmp

Filesize
9.2MB

Download
memory/1456-108-0x00000000098A0000-0x00000000098A2000-memory.dmp

Filesize
8KB

Download
memory/1456-107-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/1456-97-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/1456-98-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1456-15-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/1456-35-0x0000000001130000-0x0000000001880000-memory.dmp

Filesize
7.3MB

Download
memory/1456-101-0x0000000000F40000-0x0000000000F90000-memory.dmp

Filesize
320KB

Download
memory/1456-102-0x0000000000F90000-0x0000000000FF0000-memory.dmp

Filesize
384KB

Download
memory/1456-103-0x0000000000A80000-0x0000000000AA0000-memory.dmp

Filesize
128KB

Download
memory/1456-104-0x0000000006360000-0x00000000064A2000-memory.dmp

Filesize
1.3MB

Download
memory/1456-106-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/1456-105-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2848-61-0x000000013F2D0000-0x0000000140506000-memory.dmp

Filesize
18.2MB

Download
memory/2912-96-0x000000013F240000-0x000000013FD15000-memory.dmp

Filesize
10.8MB

Download