General

  • Target

    ff264d7e1f11b7f9e9e01cb24a65c68a7414e4de91e6bcf178ba36ba106f7684

  • Size

    649KB

  • Sample

    220221-lajdqsggd4

  • MD5

    325d388e2625e047a3a51f00526a785c

  • SHA1

    e096409b36543891e9e3df7ab30829fe67b72856

  • SHA256

    ff264d7e1f11b7f9e9e01cb24a65c68a7414e4de91e6bcf178ba36ba106f7684

  • SHA512

    103ac0f6e8f037d317fba166d4d663e651b726e00493575c86e9a8a6f83c292ab89611d3e3f5f95dd1456699d95a23749276f707efd523336cd79901bd784080

Malware Config

Extracted

Family

webmonitor

C2

ericpt.wm01.to:443

Attributes
  • config_key

    YmefzPZ4jwVJTOIYtP2HBKACzugd2Vme

  • private_key

    Bs4pqL3pA

  • url_path

    /recv5.php

Targets

    • Target

      Code.exe

    • Size

      1.1MB

    • MD5

      149fdf05fd2659a44f84b7bea4ef1a8e

    • SHA1

      84d65206243408b367ad0fd3234b8d26fc6e4314

    • SHA256

      2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3

    • SHA512

      2d774b98d39c9571b6550c0de05c16991115199c639b5ca76b04477c420b4ade9c89b1c6c6eb4781012af36edb2dcaf3cc8c4d72c8c480d4e5472b4e8ab182d2

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks