Resubmissions

24-09-2021 14:18

210924-rmb33shbfl 10

23-09-2021 13:46

210923-q2y1qaedfr 10

17-09-2021 17:02

210917-vj9fysgab6 10

General

  • Target

    9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

  • Size

    360KB

  • Sample

    210923-q2y1qaedfr

  • MD5

    6e223f8e362245614a74d9865d0817b0

  • SHA1

    dd8d9ea9d62bcf6a7e69bbf6dd81457103bcc29e

  • SHA256

    9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

  • SHA512

    36321cbe8c9b17a939241247baa27e204f51c2f8c8667cafd3ddd939159412ead8addf663b2285499396917f1bebe51cc9f1ec7c218645f877860010da5c4e1a

Malware Config

Extracted

Family

webmonitor

C2

restrep0.wm01.to:443

Attributes
  • config_key

    rmGRTTf00SgxCRDiG5pe71nlU5TxVucQ

  • private_key

    7geUgzWms

  • url_path

    /recv4.php

Targets

    • Target

      9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

    • Size

      360KB

    • MD5

      6e223f8e362245614a74d9865d0817b0

    • SHA1

      dd8d9ea9d62bcf6a7e69bbf6dd81457103bcc29e

    • SHA256

      9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

    • SHA512

      36321cbe8c9b17a939241247baa27e204f51c2f8c8667cafd3ddd939159412ead8addf663b2285499396917f1bebe51cc9f1ec7c218645f877860010da5c4e1a

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks