webmonitor | 48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876

General

Target

48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe
Size

17.2MB
MD5

ee9a4ee14382824e759636426db0aa6f
SHA1

5ff8faa6df6c1ef352d4938be39a97092dd1c7c7
SHA256

48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876
SHA512

4c7a3f81eb713b68c5cf8376ec5f55428294732f2c97bf5cd8bea876d569d2bf1e2d3a9c09e64b51411deaf37f1670d02a1cf192e7427f9cef3135f4a09b6656

Score

10^/10

webmonitor backdoor infostealer persistence rat

Malware Config

Extracted

Family

webmonitor

C2

worldbala.wm01.to:443

Attributes

config_key
1vt5MKV6CcJnGWsNVlYXmKcidNN2mBKt
private_key
NcwyDvFB8
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/732-76-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor
behavioral1/memory/732-78-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor
behavioral1/memory/732-79-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor
behavioral1/memory/732-80-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor
behavioral1/memory/732-81-0x00000000004731FB-mapping.dmp	family_webmonitor
behavioral1/memory/732-83-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor
behavioral1/memory/732-86-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor
behavioral1/memory/732-88-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor
behavioral1/memory/732-90-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor
behavioral1/memory/732-91-0x0000000000400000-0x00000000004BE000-memory.dmp	family_webmonitor

Executes dropped EXE 1 IoCs

Processes:

GfnWebBrowser.exe

pid process

1032 GfnWebBrowser.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1684 cmd.exe
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 185.243.215.214

pid	process
1032	GfnWebBrowser.exe

pid	process
1684	cmd.exe

description	ioc
Destination IP	185.243.215.214

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GfnWebBrowser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\GfnWebBrowser = "C:\\Users\\Admin\\AppData\\Roaming\\GfnWebBrowser.exe -boot"	GfnWebBrowser.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

GfnWebBrowser.exe

description pid process target process

PID 1032 set thread context of 732 1032 GfnWebBrowser.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1032 set thread context of 732	1032	GfnWebBrowser.exe	AppLaunch.exe

NTFS ADS 5 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exeGfnWebBrowser.exe

description	pid	process
Token: SeDebugPrivilege	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe
Token: SeDebugPrivilege	1032	GfnWebBrowser.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.execmd.exeGfnWebBrowser.exe

description	pid	process	target process
PID 1016 wrote to memory of 2040	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 2040	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 2040	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 2040	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1040	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1040	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1040	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1040	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1660	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1660	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1660	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1660	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1684	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1684	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1684	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1016 wrote to memory of 1684	1016	48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe	cmd.exe
PID 1684 wrote to memory of 1032	1684	cmd.exe	GfnWebBrowser.exe
PID 1684 wrote to memory of 1032	1684	cmd.exe	GfnWebBrowser.exe
PID 1684 wrote to memory of 1032	1684	cmd.exe	GfnWebBrowser.exe
PID 1684 wrote to memory of 1032	1684	cmd.exe	GfnWebBrowser.exe
PID 1032 wrote to memory of 1268	1032	GfnWebBrowser.exe	cmd.exe
PID 1032 wrote to memory of 1268	1032	GfnWebBrowser.exe	cmd.exe
PID 1032 wrote to memory of 1268	1032	GfnWebBrowser.exe	cmd.exe
PID 1032 wrote to memory of 1268	1032	GfnWebBrowser.exe	cmd.exe
PID 1032 wrote to memory of 800	1032	GfnWebBrowser.exe	cmd.exe
PID 1032 wrote to memory of 800	1032	GfnWebBrowser.exe	cmd.exe
PID 1032 wrote to memory of 800	1032	GfnWebBrowser.exe	cmd.exe
PID 1032 wrote to memory of 800	1032	GfnWebBrowser.exe	cmd.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe
PID 1032 wrote to memory of 732	1032	GfnWebBrowser.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe
"C:\Users\Admin\AppData\Local\Temp\48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:2040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe:Zone.Identifier"
2⤵
- NTFS ADS
PID:1040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876.exe" "C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe"
2⤵
- NTFS ADS
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe
"C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier"
4⤵
- NTFS ADS
PID:1268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe:Zone.Identifier"
4⤵
- NTFS ADS
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe
Filesize
17.2MB

MD5
ee9a4ee14382824e759636426db0aa6f

SHA1
5ff8faa6df6c1ef352d4938be39a97092dd1c7c7

SHA256
48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876

SHA512
4c7a3f81eb713b68c5cf8376ec5f55428294732f2c97bf5cd8bea876d569d2bf1e2d3a9c09e64b51411deaf37f1670d02a1cf192e7427f9cef3135f4a09b6656

Download Submit
C:\Users\Admin\AppData\Roaming\GfnWebBrowser.exe
Filesize
17.2MB

MD5
ee9a4ee14382824e759636426db0aa6f

SHA1
5ff8faa6df6c1ef352d4938be39a97092dd1c7c7

SHA256
48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876

SHA512
4c7a3f81eb713b68c5cf8376ec5f55428294732f2c97bf5cd8bea876d569d2bf1e2d3a9c09e64b51411deaf37f1670d02a1cf192e7427f9cef3135f4a09b6656

Download Submit
\Users\Admin\AppData\Roaming\GfnWebBrowser.exe
Filesize
17.2MB

MD5
ee9a4ee14382824e759636426db0aa6f

SHA1
5ff8faa6df6c1ef352d4938be39a97092dd1c7c7

SHA256
48d173767bf24bb9ad394d2581ecedfdefc4e31fd79b114a79a196eca7fb8876

SHA512
4c7a3f81eb713b68c5cf8376ec5f55428294732f2c97bf5cd8bea876d569d2bf1e2d3a9c09e64b51411deaf37f1670d02a1cf192e7427f9cef3135f4a09b6656

Download Submit
memory/732-79-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-86-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-83-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-81-0x00000000004731FB-mapping.dmp

Download
memory/732-80-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-78-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-88-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-90-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-76-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-91-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-74-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/732-73-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/800-71-0x0000000000000000-mapping.dmp

Download
memory/1016-61-0x0000000001BA0000-0x0000000001BA6000-memory.dmp

Filesize
24KB

Download
memory/1016-58-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/1016-55-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/1016-56-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1016-60-0x0000000001B20000-0x0000000001B2C000-memory.dmp

Filesize
48KB

Download
memory/1016-54-0x0000000000A60000-0x0000000001B02000-memory.dmp

Filesize
16.6MB

Download
memory/1032-66-0x0000000000000000-mapping.dmp

Download
memory/1032-72-0x0000000002F90000-0x0000000002F9C000-memory.dmp

Filesize
48KB

Download
memory/1032-68-0x0000000000250000-0x00000000012F2000-memory.dmp

Filesize
16.6MB

Download
memory/1040-59-0x0000000000000000-mapping.dmp

Download
memory/1268-70-0x0000000000000000-mapping.dmp

Download
memory/1660-62-0x0000000000000000-mapping.dmp

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/2040-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads