webmonitor | 968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413

General

Target

MATCH_OUTSTANDING_BILL.exe
Size

1.3MB
MD5

bd35dd1bc38521c4feb42f5ca266900c
SHA1

72ff48fbd0d0db7ee83e90edee6d90eee6719a57
SHA256

968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413
SHA512

06aa1b4ad24c9ccfab98cc71c4ee6c88e4e4375b8641f738eebbeb0c8c67719f7596de47935597f894a36934b1cb6364c9ffbb6910ddea6e92182ddae4959ab1

Score

10^/10

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4016-125-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/4016-126-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/4016-127-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3008 set thread context of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79

Suspicious behavior: EnumeratesProcesses 3 IoCs

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	MATCH_OUTSTANDING_BILL.exe
Token: SeShutdownPrivilege	4016	RegSvcs.exe
Token: SeCreatePagefilePrivilege	4016	RegSvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3580	3008	MATCH_OUTSTANDING_BILL.exe	78
PID 3008 wrote to memory of 3580	3008	MATCH_OUTSTANDING_BILL.exe	78
PID 3008 wrote to memory of 3580	3008	MATCH_OUTSTANDING_BILL.exe	78
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	79
PID 4016 wrote to memory of 200	4016	RegSvcs.exe	81
PID 4016 wrote to memory of 200	4016	RegSvcs.exe	81
PID 4016 wrote to memory of 200	4016	RegSvcs.exe	81

C:\Users\Admin\AppData\Local\Temp\MATCH_OUTSTANDING_BILL.exe
"C:\Users\Admin\AppData\Local\Temp\MATCH_OUTSTANDING_BILL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:3580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0oedpNjBiUMqYbj7.bat" "
    3⤵
    PID:200

memory/3008-121-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3008-118-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/3008-119-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3008-120-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/3008-114-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3008-122-0x0000000005AF0000-0x0000000005B0B000-memory.dmp

Filesize
108KB

Download
memory/3008-123-0x0000000006770000-0x0000000006870000-memory.dmp

Filesize
1024KB

Download
memory/3008-124-0x0000000008D30000-0x0000000008E2E000-memory.dmp

Filesize
1016KB

Download
memory/3008-117-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/3008-116-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4016-125-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4016-127-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download