webmonitor | 018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-05-2022 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
Size

660KB
MD5

ca45b0ed9b7c08d5d4dd574aba5a7d0d
SHA1

5e6560732977f4d1fe113c169325a29fceaedff5
SHA256

018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8
SHA512

e1939eb2ffafb5fc9929fb9b6696430562b67e68c8ae7613de07e9aba0c4918aade6ab1ddabb812cf419028ac785b4353707fbac68f232f60be813ff956c56dd

Score

10^/10

webmonitor backdoor infostealer rat suricata upx

Malware Config

Extracted

Family

webmonitor

irvingl.wm01.to:443

Attributes

config_key
YuqeS5by2ufBLEJpyKzIQI11b9BK1C9y
private_key
AYZWTd6Xn
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1620-77-0x0000000000400000-0x00000000004E6000-memory.dmp	family_webmonitor
behavioral1/memory/1620-78-0x0000000000400000-0x00000000004E6000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1828-67-0x00000000020D0000-0x00000000021B6000-memory.dmp	upx
behavioral1/memory/1620-69-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1620-71-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1620-72-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1620-74-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1620-76-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1620-77-0x0000000000400000-0x00000000004E6000-memory.dmp	upx
behavioral1/memory/1620-78-0x0000000000400000-0x00000000004E6000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghjkjkgj.url	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114
Destination IP	139.175.55.244
Destination IP	1.2.4.8
Destination IP	77.88.8.8
Destination IP	123.125.81.6
Destination IP	101.226.4.6
Destination IP	91.239.100.100
Destination IP	180.76.76.76

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1988	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	27
PID 1828 wrote to memory of 1988	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	27
PID 1828 wrote to memory of 1988	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	27
PID 1828 wrote to memory of 1988	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	27
PID 1988 wrote to memory of 936	1988	csc.exe	29
PID 1988 wrote to memory of 936	1988	csc.exe	29
PID 1988 wrote to memory of 936	1988	csc.exe	29
PID 1988 wrote to memory of 936	1988	csc.exe	29
PID 1828 wrote to memory of 1692	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	30
PID 1828 wrote to memory of 1692	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	30
PID 1828 wrote to memory of 1692	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	30
PID 1828 wrote to memory of 1692	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	30
PID 1828 wrote to memory of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31
PID 1828 wrote to memory of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31
PID 1828 wrote to memory of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31
PID 1828 wrote to memory of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31
PID 1828 wrote to memory of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31
PID 1828 wrote to memory of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31
PID 1828 wrote to memory of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31
PID 1828 wrote to memory of 1620	1828	018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe	31

C:\Users\Admin\AppData\Local\Temp\018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe
"C:\Users\Admin\AppData\Local\Temp\018854e265b335fe5e9f18c5672403194a8ec7205b0567bc0652fb3f415b8ea8.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ejcnl45y\ejcnl45y.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3257.tmp" "c:\Users\Admin\AppData\Local\Temp\ejcnl45y\CSC2EA701CA262416497551D43707E15F8.TMP"
    3⤵
    PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3257.tmp

Filesize
1KB

MD5
0f250742228a16dc38a1ce59bcd4da7c

SHA1
fc0e38edc35134c7f401f8b1f5f923c69560037f

SHA256
b73500c439beeac36f12dceddefe89f54bd18eb5e96db1796025c1454c66a0e9

SHA512
7edc6067a97bc2b9943d90db4a46b085c9f2d93f4480bb06db46d6c72859d3b66af2b1d601be98ce7a695307c16557cf3ebb25b6b90d652670e1c377a9eef309

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejcnl45y\ejcnl45y.dll

Filesize
20KB

MD5
22d04e3c92a2aa54c31c3d2ead15620e

SHA1
5771141c18a1b6ba906914b2484fd2925fc541f7

SHA256
0c31e3b3bb2c639eced0d9d2ca3a1b5a2b55a37da7c0fd792d55959b3623aaee

SHA512
2513e51bcb50cb7245fddbf9e214accf5d46e875c25acd1342ece033cf1a4c1da42886fdd30532c246255391189a7b0d854ea5dfd252e65dbe7c376e9b37725a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ejcnl45y\ejcnl45y.pdb

Filesize
65KB

MD5
137dd39b4aca734f8d0996ed3479919a

SHA1
0d6e55d05adff6580052523141bc2814c454b20c

SHA256
df82126658dcbc22e46b739f8aaf5d831681ca3140e65f8382c0f5fa67eb5727

SHA512
135a7102bc38aff9d1eec26135e978fef6ad3019a545fb62b9cc9a65232e443131013e74b7a3ea625fdbb9b3d075f756bbe60154b0d7ee3be3b22ce686bbddda

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ejcnl45y\CSC2EA701CA262416497551D43707E15F8.TMP

Filesize
1KB

MD5
df24ebeaace2a9079fff15c17fc128b6

SHA1
32269a72fb8514250aa11f693edb8325db2a3c77

SHA256
7fb05dd0d29e8b277c359b23510dfa345713519ed0774eab74fbab3cd23fb112

SHA512
677a7a65631417bb02d910cde7ebf8b8bd924e3f8982629e359a16209dda4cbef503782f76767c98ceb9eb6c984c4e198078b328675f934a12aec66c2ba1afce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ejcnl45y\ejcnl45y.0.cs

Filesize
44KB

MD5
07561970ff30e6e3d08b31648f867972

SHA1
111181beae9af3c4a2e1e537962c86b0fa50cb52

SHA256
8c84afb83f396d2521405ac37f3a81ad7564c6aacc1a9246463e127f8a24c6e6

SHA512
54a6d7277009718876fb3edfb51a855fedfee828f1f16916bfd630efe0918b31a324337294bbf2565f455703a4179654bbcbebe25f2a5afb02a8e71be948610a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ejcnl45y\ejcnl45y.cmdline

Filesize
312B

MD5
b8f3f7a843bee3940dc353a36bfe4dff

SHA1
3262432b41f675eac520b9294b52d2f518af036e

SHA256
e593306e63b480f2a62f9370b77bc74206754cf25989623f5c0f41c770d7a8a5

SHA512
d2161356429af54287fd74973e33736f7d35850f671bf576c0079028150331d61d6b05a3f6bb3dc995aa9658a822b48de567c7e1685c7a0b267285e36cd2b770

Download Submit
memory/1620-69-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1620-72-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1620-78-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1620-77-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1620-76-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1620-74-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1620-68-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1620-71-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1828-54-0x0000000000930000-0x00000000009C2000-memory.dmp

Filesize
584KB

Download
memory/1828-67-0x00000000020D0000-0x00000000021B6000-memory.dmp

Filesize
920KB

Download
memory/1828-66-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download
memory/1828-65-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1828-64-0x0000000001FC0000-0x0000000002026000-memory.dmp

Filesize
408KB

Download
memory/1828-63-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download