webmonitor | 8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2

General

Target

8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe
Size

921KB
MD5

40f39933c67ea2045c887db44e9ba666
SHA1

611422b9d996fe8e6070fd107412cb61efbef483
SHA256

8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2
SHA512

363cd33c4ed51d8d8aa89c506f7392ec921479a2a3a010af1c48917e82be5166c9c09ba817aad417dff7e62e17ceef9d173899ff0c706ff18e3e3e10b74c26bc

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

mafianclub.wm01.to:443

Attributes

config_key
msK8483mYp1k2OzxD1I3yoSUcNW7v1k5
private_key
WB8PgMeHa
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2032-143-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral2/memory/2032-144-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor

Executes dropped EXE 1 IoCs

pid	Process
2032	RegAsm.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2032-137-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/2032-140-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/2032-141-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/2032-143-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral2/memory/2032-144-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Loads dropped DLL 1 IoCs

pid	Process
3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3444 set thread context of 2032	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe
Token: SeTakeOwnershipPrivilege	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe
Token: SeRestorePrivilege	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe
Token: SeShutdownPrivilege	2032	RegAsm.exe
Token: SeCreatePagefilePrivilege	2032	RegAsm.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2032	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe	84
PID 3444 wrote to memory of 2032	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe	84
PID 3444 wrote to memory of 2032	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe	84
PID 3444 wrote to memory of 2032	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe	84
PID 3444 wrote to memory of 2032	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe	84
PID 3444 wrote to memory of 2032	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe	84
PID 3444 wrote to memory of 2032	3444	8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe	84
PID 2032 wrote to memory of 4036	2032	RegAsm.exe	85
PID 2032 wrote to memory of 4036	2032	RegAsm.exe	85
PID 2032 wrote to memory of 4036	2032	RegAsm.exe	85

C:\Users\Admin\AppData\Local\Temp\8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe
"C:\Users\Admin\AppData\Local\Temp\8e6f24e4cb48f7ed08b9796061dd09dd5fcefd7804c7b102a5d0f88c85938bc2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
  "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMOzsHIM433IivL1.bat" "
    3⤵
    PID:4036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMOzsHIM433IivL1.bat

Filesize
204B

MD5
0a6210994c02b1f93efde30027f8688c

SHA1
3fcace04b8f8b79c35df385b6b0fe7eb86717704

SHA256
bd55f1dfcee991a188c6a8ec28273a83859a43fab64b220932fd133b073cc450

SHA512
53f9b62964ab9443c92ae8d2b58d5682423987b3426f6b46b2f8264ee4de504276f46f1a5a5a463ff35c5acabfb519900caf3fe683505cf51f7ac48595019b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/2032-137-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2032-140-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2032-141-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2032-143-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2032-144-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/3444-130-0x0000000000570000-0x000000000065C000-memory.dmp

Filesize
944KB

Download
memory/3444-135-0x0000000073930000-0x00000000739B9000-memory.dmp

Filesize
548KB

Download
memory/3444-133-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/3444-132-0x0000000005000000-0x0000000005044000-memory.dmp

Filesize
272KB

Download
memory/3444-131-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing