webmonitor | 0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348

General

Target

0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe
Size

1.6MB
MD5

727c2d4c6016849316ae589295508acc
SHA1

9782d9c356d7c7f83a92daf941cd0e34b2301e32
SHA256

0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348
SHA512

cf083b91c210cc43006410648d096519cc45f6d2db40f2980f4b2816784ddfa8cf2b40b5eec277e0986cd192d3285806293d17ffd944d3376e9fa6798324bab8

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

Executes dropped EXE 2 IoCs

Processes:

regsa.execrd_kg.exe

pid	Process
1988	regsa.exe
2020	crd_kg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1988-75-0x0000000000AE0000-0x0000000000B2B000-memory.dmp	upx
behavioral1/memory/832-76-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral1/memory/832-79-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

regsa.exeRegAsm.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\regas.exe = "C:\\Users\\Admin\\AppData\\Roaming\\regas.exe"	regsa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-3033 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-3033.exe"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsa.exe

description	pid	Process	procid_target
PID 1988 set thread context of 832	1988	regsa.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsa.exe

pid	Process
1988	regsa.exe
1988	regsa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsa.exe

description	pid	Process
Token: SeDebugPrivilege	1988	regsa.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exeregsa.exe

description	pid	Process	procid_target
PID 1804 wrote to memory of 1988	1804	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	25
PID 1804 wrote to memory of 1988	1804	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	25
PID 1804 wrote to memory of 1988	1804	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	25
PID 1804 wrote to memory of 1988	1804	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	25
PID 1804 wrote to memory of 2020	1804	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	27
PID 1804 wrote to memory of 2020	1804	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	27
PID 1804 wrote to memory of 2020	1804	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	27
PID 1804 wrote to memory of 2020	1804	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	27
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28
PID 1988 wrote to memory of 832	1988	regsa.exe	28

C:\Users\Admin\AppData\Local\Temp\0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe
"C:\Users\Admin\AppData\Local\Temp\0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Local\Temp\regsa.exe
  C:\Users\Admin\AppData\Local\Temp/regsa.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Adds Run key to start application
    PID:832
- C:\Users\Admin\AppData\Local\Temp\crd_kg.exe
  C:\Users\Admin\AppData\Local\Temp/crd_kg.exe
  2⤵
  - Executes dropped EXE
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crd_kg.exe

MD5
de153d61040dbd176c0fcd008a49cce2

SHA1
189e5be9a65607b217585f1bfb5c37cb340e6679

SHA256
0fefdf5bc7a7158a8b20089decdb56448598b12e63ad3a4559e4b7ba5a96fd83

SHA512
fccb996ce52f5f226633cc85309daca3b70ea7c423044873f1d5748df01b5f53c41005f0e5c7f9b2f9bff96520b44c86d9f15bdd684e68263546b21293c6adee

Download Submit
C:\Users\Admin\AppData\Local\Temp\crd_kg.exe

MD5
de153d61040dbd176c0fcd008a49cce2

SHA1
189e5be9a65607b217585f1bfb5c37cb340e6679

SHA256
0fefdf5bc7a7158a8b20089decdb56448598b12e63ad3a4559e4b7ba5a96fd83

SHA512
fccb996ce52f5f226633cc85309daca3b70ea7c423044873f1d5748df01b5f53c41005f0e5c7f9b2f9bff96520b44c86d9f15bdd684e68263546b21293c6adee

Download Submit
C:\Users\Admin\AppData\Local\Temp\regsa.exe

MD5
5f0b09c5b83ba224470722579c70d544

SHA1
4562bd4f359d8e9b71060aac61702f36e5b36987

SHA256
abc253ca74f12208caafd6e8914db0a14f75fe9bd27d02c35522c7cc9bc97c43

SHA512
5b8371bbe12c564c6f93e8eb65e5d7539781123481fdc0c7099a39bf73b4083e483d16c3541b30185e2bf62a930c3519326eaa30546c20bcaee6760242fa64d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\regsa.exe

MD5
5f0b09c5b83ba224470722579c70d544

SHA1
4562bd4f359d8e9b71060aac61702f36e5b36987

SHA256
abc253ca74f12208caafd6e8914db0a14f75fe9bd27d02c35522c7cc9bc97c43

SHA512
5b8371bbe12c564c6f93e8eb65e5d7539781123481fdc0c7099a39bf73b4083e483d16c3541b30185e2bf62a930c3519326eaa30546c20bcaee6760242fa64d3

Download Submit
memory/832-79-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/832-77-0x00000000004BF970-mapping.dmp

Download
memory/832-76-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1804-60-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download
memory/1988-73-0x00000000005F0000-0x0000000000611000-memory.dmp

Filesize
132KB

Download
memory/1988-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1988-72-0x0000000000C80000-0x0000000000CFB000-memory.dmp

Filesize
492KB

Download
memory/1988-68-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/1988-74-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1988-75-0x0000000000AE0000-0x0000000000B2B000-memory.dmp

Filesize
300KB

Download
memory/1988-61-0x0000000000000000-mapping.dmp

Download
memory/2020-70-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2020-67-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/2020-64-0x0000000000000000-mapping.dmp

Download
memory/2020-80-0x00000000005B5000-0x00000000005C6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads