General

  • Target

    018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8

  • Size

    660KB

  • Sample

    220523-xyqy9scgh8

  • MD5

    ca45b0ed9b7c08d5d4dd574aba5a7d0d

  • SHA1

    5e6560732977f4d1fe113c169325a29fceaedff5

  • SHA256

    018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8

  • SHA512

    e1939eb2ffafb5fc9929fb9b6696430562b67e68c8ae7613de07e9aba0c4918aade6ab1ddabb812cf419028ac785b4353707fbac68f232f60be813ff956c56dd

Malware Config

Extracted

Family

webmonitor

C2

irvingl.wm01.to:443

Attributes
  • config_key

    YuqeS5by2ufBLEJpyKzIQI11b9BK1C9y

  • private_key

    AYZWTd6Xn

  • url_path

    /recv4.php

Targets

    • Target

      018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8

    • Size

      660KB

    • MD5

      ca45b0ed9b7c08d5d4dd574aba5a7d0d

    • SHA1

      5e6560732977f4d1fe113c169325a29fceaedff5

    • SHA256

      018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8

    • SHA512

      e1939eb2ffafb5fc9929fb9b6696430562b67e68c8ae7613de07e9aba0c4918aade6ab1ddabb812cf419028ac785b4353707fbac68f232f60be813ff956c56dd

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Tasks