webmonitor | b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769

General

Target

b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe
Size

1.1MB
MD5

4d08cd26844d557101ce21938812261c
SHA1

fce26de220032955493d70dfb7b2b3e9bf04d909
SHA256

b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769
SHA512

dcf1b8fed11f5b4bbc54e0e80bf5cda4cd7cf34bb2f478bbf4971a36d78bc6c7cb36b5e57539bc7bbc1445d476913dca818ef7cab208ef7da7beed17f2dd0809

Score

10^/10

webmonitor backdoor infostealer rat

Malware Config

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1256-137-0x0000000001180000-0x0000000001273000-memory.dmp	family_webmonitor

Executes dropped EXE 1 IoCs

pid	Process
1256	svhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3796 set thread context of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe
3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe
3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe
3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe
Token: 33	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe
Token: SeIncBasePriorityPrivilege	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 1256	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	79
PID 3796 wrote to memory of 4308	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	80
PID 3796 wrote to memory of 4308	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	80
PID 3796 wrote to memory of 4308	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	80
PID 3796 wrote to memory of 2688	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	82
PID 3796 wrote to memory of 2688	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	82
PID 3796 wrote to memory of 2688	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	82
PID 2688 wrote to memory of 4312	2688	cmd.exe	84
PID 2688 wrote to memory of 4312	2688	cmd.exe	84
PID 2688 wrote to memory of 4312	2688	cmd.exe	84
PID 3796 wrote to memory of 4376	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	85
PID 3796 wrote to memory of 4376	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	85
PID 3796 wrote to memory of 4376	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	85
PID 3796 wrote to memory of 2076	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	87
PID 3796 wrote to memory of 2076	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	87
PID 3796 wrote to memory of 2076	3796	b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe	87

C:\Users\Admin\AppData\Local\Temp\b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe
"C:\Users\Admin\AppData\Local\Temp\b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769.exe" "%appdata%\Mail\Mail Service.exe" /Y
  2⤵
  PID:4308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\Mail\Mail Service.exe.lnk" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Mail\Mail Service.exe.lnk" /f
    3⤵
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Mail\Mail Service.exe:Zone.Identifier
  2⤵
  PID:4376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "%appdata%\Mail\Mail Service.exe.jpg" Mail Service.exe
  2⤵
  PID:2076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
2.5MB

MD5
0a7608db01cae07792cea95e792aa866

SHA1
71dff876e4d5edb6cea78fee7aa15845d4950e24

SHA256
c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

SHA512
990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

Download Submit
C:\Users\Admin\AppData\Roaming\Mail\Mail Service.exe

Filesize
1.1MB

MD5
4d08cd26844d557101ce21938812261c

SHA1
fce26de220032955493d70dfb7b2b3e9bf04d909

SHA256
b2c9e863e22409bbd43d7e3a43b6895081092124cb5c795a76272d7f392e1769

SHA512
dcf1b8fed11f5b4bbc54e0e80bf5cda4cd7cf34bb2f478bbf4971a36d78bc6c7cb36b5e57539bc7bbc1445d476913dca818ef7cab208ef7da7beed17f2dd0809

Download Submit
memory/1256-137-0x0000000001180000-0x0000000001273000-memory.dmp

Filesize
972KB

Download
memory/3796-133-0x0000000004FA0000-0x000000000503C000-memory.dmp

Filesize
624KB

Download
memory/3796-130-0x00000000003B0000-0x00000000004CE000-memory.dmp

Filesize
1.1MB

Download
memory/3796-132-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/3796-131-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing