General

  • Target

    9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

  • Size

    360KB

  • Sample

    210923-q2y1qaedfr

  • MD5

    6e223f8e362245614a74d9865d0817b0

  • SHA1

    dd8d9ea9d62bcf6a7e69bbf6dd81457103bcc29e

  • SHA256

    9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

  • SHA512

    36321cbe8c9b17a939241247baa27e204f51c2f8c8667cafd3ddd939159412ead8addf663b2285499396917f1bebe51cc9f1ec7c218645f877860010da5c4e1a

Malware Config

Extracted

Family

webmonitor

C2

restrep0.wm01.to:443

Attributes
config_key
rmGRTTf00SgxCRDiG5pe71nlU5TxVucQ
private_key
7geUgzWms
url_path
/recv4.php

Targets

    • Target

      9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

    • Size

      360KB

    • MD5

      6e223f8e362245614a74d9865d0817b0

    • SHA1

      dd8d9ea9d62bcf6a7e69bbf6dd81457103bcc29e

    • SHA256

      9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

    • SHA512

      36321cbe8c9b17a939241247baa27e204f51c2f8c8667cafd3ddd939159412ead8addf663b2285499396917f1bebe51cc9f1ec7c218645f877860010da5c4e1a

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Privilege Escalation