webmonitor | 8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f

General

Target

8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
Size

1.6MB
MD5

2418bc399c5e287e7c25c7c0d83a5c13
SHA1

a3e6d95474651b6ccd55cf125c898792507fc958
SHA256

8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f
SHA512

cc548c5b2e1281185c53ee8d941f8e681cf9a3f11df20e7b1eb98ea07b1521b02677e7e4b7f8ae1dc6ffcdfc477ce7ba1c3e862c6a671a01e7dd147206dd19a2

Score

10^/10

webmonitor backdoor infostealer rat suricata upx

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-69-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor
behavioral1/memory/960-70-0x0000000000400000-0x00000000005F7000-memory.dmp	family_webmonitor
behavioral1/memory/960-72-0x0000000002D40000-0x0000000003D40000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/960-62-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/960-64-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/960-66-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/960-69-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/960-70-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/960-68-0x0000000000400000-0x00000000005F7000-memory.dmp	upx
behavioral1/memory/960-67-0x0000000000400000-0x00000000005F7000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

description	pid	process	target process
PID 1764 set thread context of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1692 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

pid process

1764 8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

pid	process
1692	schtasks.exe

pid	process
1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

description	pid	process
Token: SeDebugPrivilege	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
Token: SeDebugPrivilege	960	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
Token: SeShutdownPrivilege	960	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

description	pid	process	target process
PID 1764 wrote to memory of 1692	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	schtasks.exe
PID 1764 wrote to memory of 1692	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	schtasks.exe
PID 1764 wrote to memory of 1692	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	schtasks.exe
PID 1764 wrote to memory of 1692	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	schtasks.exe
PID 1764 wrote to memory of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
PID 1764 wrote to memory of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
PID 1764 wrote to memory of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
PID 1764 wrote to memory of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
PID 1764 wrote to memory of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
PID 1764 wrote to memory of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
PID 1764 wrote to memory of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
PID 1764 wrote to memory of 960	1764	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe	8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe

C:\Users\Admin\AppData\Local\Temp\8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
"C:\Users\Admin\AppData\Local\Temp\8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uuLZHftKjZYI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A57.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\8ea3556813e7d871f37b1d3954c278a08da132f48f5d5c475c075415b9adba9f.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6A57.tmp

MD5
8f97099b9591f64bf3d77a5740f21d5b

SHA1
2aee141d9c43bfcb9cdca015f63f4fd13d31fd0e

SHA256
ee39f49e221dacc767516f7f7c8edb67d44b968c8895b7dbc858c955751194c3

SHA512
28a0be35f0f10250d5695edb71ed5b19d1690e746af89c9e6e616b8076b139e3e7d7c6f36055c8afec1a516d5de95ace6078f3ce3bcbb05a3cc607d139bc7e0f

Download Submit
memory/960-68-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/960-70-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/960-72-0x0000000002D40000-0x0000000003D40000-memory.dmp

Filesize
16.0MB

Download
memory/960-71-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/960-67-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/960-60-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/960-64-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/960-66-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/960-62-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/960-69-0x0000000000400000-0x00000000005F7000-memory.dmp

Filesize
2.0MB

Download
memory/1764-56-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1764-54-0x0000000000E80000-0x0000000001028000-memory.dmp

Filesize
1.7MB

Download
memory/1764-55-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/1764-58-0x0000000005E30000-0x0000000005F70000-memory.dmp

Filesize
1.2MB

Download
memory/1764-57-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads