Overview

overview

10

Static

static

0b41b1f1d3...48.exe

windows7_x64

10

0b41b1f1d3...48.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    15-05-2021 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe

  • Size

    1.6MB

  • MD5

    727c2d4c6016849316ae589295508acc

  • SHA1

    9782d9c356d7c7f83a92daf941cd0e34b2301e32

  • SHA256

    0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348

  • SHA512

    cf083b91c210cc43006410648d096519cc45f6d2db40f2980f4b2816784ddfa8cf2b40b5eec277e0986cd192d3285806293d17ffd944d3376e9fa6798324bab8

Score
10/10
webmonitorbackdoorinfostealerpersistenceratupx

Malware Config

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • Executes dropped EXE 2 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe
    "C:\Users\Admin\AppData\Local\Temp\0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\regsa.exe
      C:\Users\Admin\AppData\Local\Temp/regsa.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        3⤵
        • Adds Run key to start application
        PID:832
    • C:\Users\Admin\AppData\Local\Temp\crd_kg.exe
      C:\Users\Admin\AppData\Local\Temp/crd_kg.exe
      2⤵
      • Executes dropped EXE
      PID:2020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/832-79-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/832-76-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/1804-60-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1988-73-0x00000000005F0000-0x0000000000611000-memory.dmp

    Filesize

    132KB

    Download

  • memory/1988-71-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1988-72-0x0000000000C80000-0x0000000000CFB000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1988-68-0x00000000013D0000-0x00000000013D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1988-74-0x0000000000430000-0x0000000000431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1988-75-0x0000000000AE0000-0x0000000000B2B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2020-70-0x00000000005B0000-0x00000000005B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2020-67-0x0000000075801000-0x0000000075803000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2020-80-0x00000000005B5000-0x00000000005C6000-memory.dmp

    Filesize

    68KB

    Download