webmonitor | 0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348

General

Target

0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe
Size

1.6MB
MD5

727c2d4c6016849316ae589295508acc
SHA1

9782d9c356d7c7f83a92daf941cd0e34b2301e32
SHA256

0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348
SHA512

cf083b91c210cc43006410648d096519cc45f6d2db40f2980f4b2816784ddfa8cf2b40b5eec277e0986cd192d3285806293d17ffd944d3376e9fa6798324bab8

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor
Executes dropped EXE 2 IoCs

Processes:

regsa.execrd_kg.exe

pid process

640 regsa.exe
804 crd_kg.exe

pid	process
640	regsa.exe
804	crd_kg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/640-128-0x00000000052F0000-0x000000000533B000-memory.dmp	upx
behavioral2/memory/4004-129-0x0000000000400000-0x00000000004C1000-memory.dmp	upx
behavioral2/memory/4004-132-0x0000000000400000-0x00000000004C1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exeregsa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-48c4 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-48c4.exe"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\regas.exe = "C:\\Users\\Admin\\AppData\\Roaming\\regas.exe"	regsa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsa.exe

description pid process target process

PID 640 set thread context of 4004 640 regsa.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsa.exe

pid process

640 regsa.exe
640 regsa.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsa.exe

description pid process

Token: SeDebugPrivilege 640 regsa.exe

description	pid	process	target process
PID 640 set thread context of 4004	640	regsa.exe	RegAsm.exe

pid	process
640	regsa.exe
640	regsa.exe

description	pid	process
Token: SeDebugPrivilege	640	regsa.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exeregsa.exe

description	pid	process	target process
PID 3016 wrote to memory of 640	3016	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	regsa.exe
PID 3016 wrote to memory of 640	3016	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	regsa.exe
PID 3016 wrote to memory of 640	3016	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	regsa.exe
PID 3016 wrote to memory of 804	3016	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	crd_kg.exe
PID 3016 wrote to memory of 804	3016	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	crd_kg.exe
PID 3016 wrote to memory of 804	3016	0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe	crd_kg.exe
PID 640 wrote to memory of 4004	640	regsa.exe	RegAsm.exe
PID 640 wrote to memory of 4004	640	regsa.exe	RegAsm.exe
PID 640 wrote to memory of 4004	640	regsa.exe	RegAsm.exe
PID 640 wrote to memory of 4004	640	regsa.exe	RegAsm.exe
PID 640 wrote to memory of 4004	640	regsa.exe	RegAsm.exe
PID 640 wrote to memory of 4004	640	regsa.exe	RegAsm.exe
PID 640 wrote to memory of 4004	640	regsa.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe
"C:\Users\Admin\AppData\Local\Temp\0b41b1f1d338b4b082a88a385334d4cc85b6b7ef582bf15c5bd104839f195348.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\regsa.exe
C:\Users\Admin\AppData\Local\Temp/regsa.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
- Adds Run key to start application
PID:4004

C:\Users\Admin\AppData\Local\Temp\crd_kg.exe
C:\Users\Admin\AppData\Local\Temp/crd_kg.exe
2⤵
- Executes dropped EXE
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crd_kg.exe
MD5
de153d61040dbd176c0fcd008a49cce2

SHA1
189e5be9a65607b217585f1bfb5c37cb340e6679

SHA256
0fefdf5bc7a7158a8b20089decdb56448598b12e63ad3a4559e4b7ba5a96fd83

SHA512
fccb996ce52f5f226633cc85309daca3b70ea7c423044873f1d5748df01b5f53c41005f0e5c7f9b2f9bff96520b44c86d9f15bdd684e68263546b21293c6adee

Download Submit
C:\Users\Admin\AppData\Local\Temp\crd_kg.exe
MD5
de153d61040dbd176c0fcd008a49cce2

SHA1
189e5be9a65607b217585f1bfb5c37cb340e6679

SHA256
0fefdf5bc7a7158a8b20089decdb56448598b12e63ad3a4559e4b7ba5a96fd83

SHA512
fccb996ce52f5f226633cc85309daca3b70ea7c423044873f1d5748df01b5f53c41005f0e5c7f9b2f9bff96520b44c86d9f15bdd684e68263546b21293c6adee

Download Submit
C:\Users\Admin\AppData\Local\Temp\regsa.exe
MD5
5f0b09c5b83ba224470722579c70d544

SHA1
4562bd4f359d8e9b71060aac61702f36e5b36987

SHA256
abc253ca74f12208caafd6e8914db0a14f75fe9bd27d02c35522c7cc9bc97c43

SHA512
5b8371bbe12c564c6f93e8eb65e5d7539781123481fdc0c7099a39bf73b4083e483d16c3541b30185e2bf62a930c3519326eaa30546c20bcaee6760242fa64d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\regsa.exe
MD5
5f0b09c5b83ba224470722579c70d544

SHA1
4562bd4f359d8e9b71060aac61702f36e5b36987

SHA256
abc253ca74f12208caafd6e8914db0a14f75fe9bd27d02c35522c7cc9bc97c43

SHA512
5b8371bbe12c564c6f93e8eb65e5d7539781123481fdc0c7099a39bf73b4083e483d16c3541b30185e2bf62a930c3519326eaa30546c20bcaee6760242fa64d3

Download Submit
memory/640-127-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/640-128-0x00000000052F0000-0x000000000533B000-memory.dmp

Filesize
300KB

Download
memory/640-120-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/640-122-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/640-114-0x0000000000000000-mapping.dmp

Download
memory/640-123-0x0000000005120000-0x000000000519B000-memory.dmp

Filesize
492KB

Download
memory/640-126-0x00000000051A0000-0x00000000051C1000-memory.dmp

Filesize
132KB

Download
memory/640-125-0x0000000005050000-0x000000000557C000-memory.dmp

Filesize
5.2MB

Download
memory/640-131-0x0000000005050000-0x000000000557C000-memory.dmp

Filesize
5.2MB

Download
memory/804-124-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/804-116-0x0000000000000000-mapping.dmp

Download
memory/804-133-0x0000000000C53000-0x0000000000C55000-memory.dmp

Filesize
8KB

Download
memory/4004-129-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4004-130-0x00000000004BF970-mapping.dmp

Download
memory/4004-132-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads