webmonitor | 6e66134aa8b2a4317e0e2fff2d8665c2476238c8a37d66359f3e94804f5f86f8

General

Target

zd4vWiNB908TG99.exe
Size

1007KB
MD5

f3370ea593b2afe30af97925d3a63295
SHA1

628af1ff11ecd9101e73dc0971d432e1c64e26fe
SHA256

3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
SHA512

182118828e580fe8e0e1188be751c93fde397af83dbff40f79e439ab3858cd3ce04d81e6c18b9bf264734b92a5bd302746b7a036c6a956ba70020da25532654c

Score

10^/10

webmonitor backdoor infostealer rat suricata

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes

config_key
4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O
private_key
yvkn5wM8E
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1604-63-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/1604-65-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/1604-67-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/1604-69-0x000000000049D8CA-mapping.dmp	family_webmonitor
behavioral1/memory/1604-72-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/1604-73-0x0000000000400000-0x00000000004F3000-memory.dmp	family_webmonitor
behavioral1/memory/1604-74-0x0000000002F70000-0x0000000003F70000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	185.243.215.214

Suspicious use of SetThreadContext 1 IoCs

Processes:

zd4vWiNB908TG99.exe

description pid process target process

PID 1800 set thread context of 1604 1800 zd4vWiNB908TG99.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

828 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

zd4vWiNB908TG99.exe

pid process

1800 zd4vWiNB908TG99.exe
1800 zd4vWiNB908TG99.exe
1800 zd4vWiNB908TG99.exe
1800 zd4vWiNB908TG99.exe
1800 zd4vWiNB908TG99.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

zd4vWiNB908TG99.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1800 zd4vWiNB908TG99.exe
Token: SeShutdownPrivilege 1604 RegSvcs.exe

description	pid	process	target process
PID 1800 set thread context of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe

pid	process
828	schtasks.exe

pid	process
1800	zd4vWiNB908TG99.exe
1800	zd4vWiNB908TG99.exe
1800	zd4vWiNB908TG99.exe
1800	zd4vWiNB908TG99.exe
1800	zd4vWiNB908TG99.exe

description	pid	process
Token: SeDebugPrivilege	1800	zd4vWiNB908TG99.exe
Token: SeShutdownPrivilege	1604	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

zd4vWiNB908TG99.exe

description	pid	process	target process
PID 1800 wrote to memory of 828	1800	zd4vWiNB908TG99.exe	schtasks.exe
PID 1800 wrote to memory of 828	1800	zd4vWiNB908TG99.exe	schtasks.exe
PID 1800 wrote to memory of 828	1800	zd4vWiNB908TG99.exe	schtasks.exe
PID 1800 wrote to memory of 828	1800	zd4vWiNB908TG99.exe	schtasks.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe
PID 1800 wrote to memory of 1604	1800	zd4vWiNB908TG99.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe
"C:\Users\Admin\AppData\Local\Temp\zd4vWiNB908TG99.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TqIIWvfdyqgCej" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCB2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCCB2.tmp

Filesize
1KB

MD5
b24dde483a003fd09cda758986ccf2ff

SHA1
dec0cca6e9b52939b9bbf0c463d93d05098c37b1

SHA256
2a737ef643a5ecaee6c39c979cc42ffbdc06649f037db17d61e5e00a0016dc93

SHA512
d7e53b39e06d49013ee66fb7b6836e0d8c7b1f6a2b8a03cd32c79b5763a5d9c6a841e9bfb96955cd377a164161e7c8a46abc61b0056c3e52e8e493b139da1f18

Download Submit
memory/828-58-0x0000000000000000-mapping.dmp

Download
memory/1604-63-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-65-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-74-0x0000000002F70000-0x0000000003F70000-memory.dmp

Filesize
16.0MB

Download
memory/1604-73-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-60-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-61-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-72-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-71-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1604-67-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/1604-69-0x000000000049D8CA-mapping.dmp

Download
memory/1800-57-0x0000000009380000-0x0000000009474000-memory.dmp

Filesize
976KB

Download
memory/1800-54-0x0000000000B00000-0x0000000000C02000-memory.dmp

Filesize
1.0MB

Download
memory/1800-55-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/1800-56-0x0000000005A00000-0x0000000005AE0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads