General

  • Target

    18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52

  • Size

    1.1MB

  • Sample

    220415-a5zhnafabk

  • MD5

    46251cfdab21778b84b03cf7ce34f48c

  • SHA1

    a30a503554703f2f9d4839636433f69ae0cd0ceb

  • SHA256

    18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52

  • SHA512

    34b413075368fa09b2b6c7cbd76f7cae2f734f1cf0f47f839b2eed1747ee99d054a57753ebf13202f762ab735961b6011b5b400bafce2cf4913873b23f49bb5f

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes
  • config_key

    4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O

  • private_key

    yvkn5wM8E

  • url_path

    /recv5.php

Targets

    • Target

      18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52

    • Size

      1.1MB

    • MD5

      46251cfdab21778b84b03cf7ce34f48c

    • SHA1

      a30a503554703f2f9d4839636433f69ae0cd0ceb

    • SHA256

      18ee3ef64924f4dd006ac40ef62aba58ffa82c49b705209bda9d378c183a6c52

    • SHA512

      34b413075368fa09b2b6c7cbd76f7cae2f734f1cf0f47f839b2eed1747ee99d054a57753ebf13202f762ab735961b6011b5b400bafce2cf4913873b23f49bb5f

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks