webmonitor | d14fb5a79ded18eb113e8ef66c9fdd4fc3e220113cebf1420b3cf5d7b41f4378 | Triage

Submit
Reports

Overview

overview

Static

static

Statement ...es.exe

windows7_x64

Statement ...es.exe

windows10-2004_x64

Sharing

General

Target

d14fb5a79ded18eb113e8ef66c9fdd4fc3e220113cebf1420b3cf5d7b41f4378
Size

853KB
Sample

220418-py3dasbca2
MD5

2c648e2452d3219d5014a37c0176f26b
SHA1

88284d3c795091bc0d09fffd6b6b0bd86f62290a
SHA256

d14fb5a79ded18eb113e8ef66c9fdd4fc3e220113cebf1420b3cf5d7b41f4378
SHA512

29a3004e0e20c35accec999bc0cc04a85f9ff350d359d5b9ebe7f42b291d1eb25be7f059a7436056847c33229f4d3c745e3d7d5e3fe14df5f12127a696374e54

Score

10^/10

webmonitor backdoor infostealer rat upx

Static task

static1

Behavioral task

behavioral1

Sample

Statement for due invoices.exe

Resource

win7-20220414-en

webmonitor backdoor infostealer rat upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Statement for due invoices.exe

Resource

win10v2004-20220414-en

webmonitor backdoor infostealer rat upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

webmonitor

C2

blackwire.wm01.to:443

Attributes

config_key
XHSPjxLqnkGzEknQM1EIWtzFAMfNcnJY
private_key
Bm19W87ME
url_path
/recv5.php

Targets

- Target
  
  Statement for due invoices.exe
- Size
  
  1020KB
- MD5
  
  39812fe18840e436a74aff55785f08d4
- SHA1
  
  88c0f62af95c53b0a4d1f2d9422c9016490851ed
- SHA256
  
  0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708
- SHA512
  
  7188efcc5c683c4bdab4ad5dace8df49402e64de6c3bf6c6be980e831ae1aca9a7a094aee89f97236f1f00468e6ba93988dad2ca8c2778557f8f5d5418ccaa24
Score

10^/10

webmonitor backdoor infostealer rat upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor Payload
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

webmonitorbackdoorinfostealerratupx

behavioral2

webmonitorbackdoorinfostealerratupx

© 2018-2024

Terms | Privacy