General

  • Target

    2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

  • Size

    546KB

  • Sample

    220525-akazkacgc3

  • MD5

    ea8bd15c924883beb0675399bc9e790a

  • SHA1

    0b18ec8eaa1b11315be4d08618f2df14d60a9be1

  • SHA256

    2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

  • SHA512

    7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6

Malware Config

Extracted

Family

webmonitor

C2

roxter666.wm01.to:443

Attributes
  • config_key

    9rwqIhLhP1v4mc4fDkpMWCPyZZA3jLtP

  • private_key

    ifcSJLpGN

  • url_path

    /recv5.php

Targets

    • Target

      2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

    • Size

      546KB

    • MD5

      ea8bd15c924883beb0675399bc9e790a

    • SHA1

      0b18ec8eaa1b11315be4d08618f2df14d60a9be1

    • SHA256

      2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

    • SHA512

      7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks