Overview

overview

10

Static

static

f010795b19...8a.exe

windows7_x64

10

f010795b19...8a.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f010795b19f2c56b230b7de0f9803cd3aeea208a.exe

  • Size

    2.0MB

  • Sample

    211015-qj6ylsbfgn

  • MD5

    517e0a4d7e27837a7075615032a6cc69

  • SHA1

    f010795b19f2c56b230b7de0f9803cd3aeea208a

  • SHA256

    f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f

  • SHA512

    5c9f1b9c874587b79852e98fe7adb06f544dbbb5b5af7bd60205cd4c24a43e5ab37d85d4ccb1fb22815942e6546cf936f1caa371718440cd01618094a0f18bb7

Score
10/10
webmonitoragilenetbackdoorinfostealerpersistencerat

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes
  • config_key

    4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O

  • private_key

    yvkn5wM8E

  • url_path

    /recv5.php

Targets

    • Target

      f010795b19f2c56b230b7de0f9803cd3aeea208a.exe

    • Size

      2.0MB

    • MD5

      517e0a4d7e27837a7075615032a6cc69

    • SHA1

      f010795b19f2c56b230b7de0f9803cd3aeea208a

    • SHA256

      f4743b96b2336504bd9b8207b0794da22e9eaf583703a7e3dd58cf872314ac4f

    • SHA512

      5c9f1b9c874587b79852e98fe7adb06f544dbbb5b5af7bd60205cd4c24a43e5ab37d85d4ccb1fb22815942e6546cf936f1caa371718440cd01618094a0f18bb7

    Score
    10/10
    webmonitoragilenetbackdoorinfostealerpersistencerat

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

      backdoorratinfostealerwebmonitor

    • WebMonitor Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks