webmonitor | 968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413

General

Target

MATCH_OUTSTANDING_BILL.exe
Size

1.3MB
MD5

bd35dd1bc38521c4feb42f5ca266900c
SHA1

72ff48fbd0d0db7ee83e90edee6d90eee6719a57
SHA256

968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413
SHA512

06aa1b4ad24c9ccfab98cc71c4ee6c88e4e4375b8641f738eebbeb0c8c67719f7596de47935597f894a36934b1cb6364c9ffbb6910ddea6e92182ddae4959ab1

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4016-125-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral2/memory/4016-126-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral2/memory/4016-127-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor

Suspicious use of SetThreadContext 1 IoCs

Processes:

MATCH_OUTSTANDING_BILL.exe

description pid process target process

PID 3008 set thread context of 4016 3008 MATCH_OUTSTANDING_BILL.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

MATCH_OUTSTANDING_BILL.exe

pid process

3008 MATCH_OUTSTANDING_BILL.exe
3008 MATCH_OUTSTANDING_BILL.exe
3008 MATCH_OUTSTANDING_BILL.exe

description	pid	process	target process
PID 3008 set thread context of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe

pid	process
3008	MATCH_OUTSTANDING_BILL.exe
3008	MATCH_OUTSTANDING_BILL.exe
3008	MATCH_OUTSTANDING_BILL.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MATCH_OUTSTANDING_BILL.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3008	MATCH_OUTSTANDING_BILL.exe
Token: SeShutdownPrivilege	4016	RegSvcs.exe
Token: SeCreatePagefilePrivilege	4016	RegSvcs.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

MATCH_OUTSTANDING_BILL.exeRegSvcs.exe

description	pid	process	target process
PID 3008 wrote to memory of 3580	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 3580	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 3580	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 3008 wrote to memory of 4016	3008	MATCH_OUTSTANDING_BILL.exe	RegSvcs.exe
PID 4016 wrote to memory of 200	4016	RegSvcs.exe	cmd.exe
PID 4016 wrote to memory of 200	4016	RegSvcs.exe	cmd.exe
PID 4016 wrote to memory of 200	4016	RegSvcs.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\MATCH_OUTSTANDING_BILL.exe
"C:\Users\Admin\AppData\Local\Temp\MATCH_OUTSTANDING_BILL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0oedpNjBiUMqYbj7.bat" "
3⤵
PID:200

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0oedpNjBiUMqYbj7.bat
MD5
ba83e6b1c1ec9bf123da3e7131029628

SHA1
fe9f4d96bb4ff3cd6c578a195a9cf8bcdd4851be

SHA256
4f520545a68ca69ee50dc52072de4b3ac61119a280147e6a48619fd9516a9478

SHA512
0a2f4e79c3a5bac3ff9bcac4b203e776fc198b8dd2c21a0a8e5b11e51cb6076baf6351adbd9da44bf1dc06a81aa651370008019bf2e6727d793b60252177293a

Download Submit
memory/200-128-0x0000000000000000-mapping.dmp

Download
memory/3008-121-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3008-118-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/3008-119-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3008-120-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/3008-114-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/3008-122-0x0000000005AF0000-0x0000000005B0B000-memory.dmp

Filesize
108KB

Download
memory/3008-123-0x0000000006770000-0x0000000006870000-memory.dmp

Filesize
1024KB

Download
memory/3008-124-0x0000000008D30000-0x0000000008E2E000-memory.dmp

Filesize
1016KB

Download
memory/3008-117-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/3008-116-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4016-125-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/4016-126-0x000000000049D8CA-mapping.dmp

Download
memory/4016-127-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads