webmonitor | 48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876 | Triage

Submit
Reports

Overview

overview

Static

static

48d173767b...76.exe

windows7_x64

48d173767b...76.exe

windows10-2004_x64

Sharing

General

Target

48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876
Size

17.2MB
Sample

220516-p4e5ysccb2
MD5

ee9a4ee14382824e759636426db0aa6f
SHA1

5ff8faa6df6c1ef352d4938be39a97092dd1c7c7
SHA256

48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876
SHA512

4c7a3f81eb713b68c5cf8376ec5f55428294732f2c97bf5cd8bea876d569d2bf1e2d3a9c09e64b51411deaf37f1670d02a1cf192e7427f9cef3135f4a09b6656

Score

10^/10

webmonitor backdoor infostealer persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe

Resource

win7-20220414-en

webmonitor backdoor infostealer persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe

Resource

win10v2004-20220414-en

webmonitor backdoor infostealer persistence rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

webmonitor

C2

worldbala.wm01.to:443

Attributes

config_key
1vt5MKV6CcJnGWsNVlYXmKcidNN2mBKt
private_key
NcwyDvFB8
url_path
/recv4.php

Targets

- Target
  
  48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876
- Size
  
  17.2MB
- MD5
  
  ee9a4ee14382824e759636426db0aa6f
- SHA1
  
  5ff8faa6df6c1ef352d4938be39a97092dd1c7c7
- SHA256
  
  48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876
- SHA512
  
  4c7a3f81eb713b68c5cf8376ec5f55428294732f2c97bf5cd8bea876d569d2bf1e2d3a9c09e64b51411deaf37f1670d02a1cf192e7427f9cef3135f4a09b6656
Score

10^/10

webmonitor backdoor infostealer persistence rat
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

webmonitorbackdoorinfostealerpersistencerat

behavioral2

webmonitorbackdoorinfostealerpersistencerat

© 2018-2024

Terms | Privacy