General

  • Target

    9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e.exe

  • Size

    360KB

  • Sample

    210925-g22beaaedr

  • MD5

    6e223f8e362245614a74d9865d0817b0

  • SHA1

    dd8d9ea9d62bcf6a7e69bbf6dd81457103bcc29e

  • SHA256

    9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

  • SHA512

    36321cbe8c9b17a939241247baa27e204f51c2f8c8667cafd3ddd939159412ead8addf663b2285499396917f1bebe51cc9f1ec7c218645f877860010da5c4e1a

Malware Config

Targets

    • Target

      9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e.exe

    • Size

      360KB

    • MD5

      6e223f8e362245614a74d9865d0817b0

    • SHA1

      dd8d9ea9d62bcf6a7e69bbf6dd81457103bcc29e

    • SHA256

      9bbd49dbf0098e342cbb8935f8f40c92a395d45c04ef00f5df08b6953e30ca9e

    • SHA512

      36321cbe8c9b17a939241247baa27e204f51c2f8c8667cafd3ddd939159412ead8addf663b2285499396917f1bebe51cc9f1ec7c218645f877860010da5c4e1a

    • Registers COM server for autorun

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks