Overview

overview

10

Static

static

04ca9c3b62...ae.exe

windows7_x64

10

04ca9c3b62...ae.exe

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    04ca9c3b628ea6dad9416c02c1b49af193644b406cd6aba37d933df0e73ce9ae

  • Size

    1.6MB

  • Sample

    220320-bts26sebdn

  • MD5

    c5ef92f3ee5dd058aee7acc24617dc75

  • SHA1

    335b2cbb898146725bb81af4ca254971e1301e2f

  • SHA256

    04ca9c3b628ea6dad9416c02c1b49af193644b406cd6aba37d933df0e73ce9ae

  • SHA512

    9d4b10ceee22ac0eb59d6e7bc94f26a4bf6faff91306af370f6cb31f62d2eb28541de1c0f32d584ad1e1598417c94a75720fc0043e2c822e7fbba1f60f1b6bdd

Score
10/10
webmonitorbackdoorevasioninfostealerratsuricataupx

Malware Config

Targets

    • Target

      04ca9c3b628ea6dad9416c02c1b49af193644b406cd6aba37d933df0e73ce9ae

    • Size

      1.6MB

    • MD5

      c5ef92f3ee5dd058aee7acc24617dc75

    • SHA1

      335b2cbb898146725bb81af4ca254971e1301e2f

    • SHA256

      04ca9c3b628ea6dad9416c02c1b49af193644b406cd6aba37d933df0e73ce9ae

    • SHA512

      9d4b10ceee22ac0eb59d6e7bc94f26a4bf6faff91306af370f6cb31f62d2eb28541de1c0f32d584ad1e1598417c94a75720fc0043e2c822e7fbba1f60f1b6bdd

    Score
    10/10
    webmonitorbackdoorevasioninfostealerratsuricataupx

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

      backdoorratinfostealerwebmonitor

    • WebMonitor Payload

    • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks