Analysis
-
max time kernel
157s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 16:41
Static task
static1
Behavioral task
behavioral1
Sample
e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exe
Resource
win10v2004-20220414-en
General
-
Target
e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exe
-
Size
365KB
-
MD5
7bb890fdf757f2dca62acdfb2bb26ff9
-
SHA1
7fba93d7d5fe0250e736675a7ce85c6129341de6
-
SHA256
e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553
-
SHA512
6021fab5a5ff2d10df93173c3fbfbbe64bed1bc15bcf3958c5bc152eb3fcd7b1fde7baac97cd52a1cb5cd75bbb94d6f09bb6dcc8bb694e048d3c95eff32048bb
Malware Config
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
-
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.243.215.214 Destination IP 1.2.4.8 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 185.243.215.214 Destination IP 1.2.4.8 Destination IP 185.243.215.214 Destination IP 185.243.215.214 Destination IP 185.243.215.214 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-b5f1 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-b5f1.exe" e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exepid process 1068 e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exedescription pid process Token: SeShutdownPrivilege 1068 e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exe"C:\Users\Admin\AppData\Local\Temp\e510da3919bd636fcc0b09a3f00355175b660761fe0481809a8cef06d305f553.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken