webmonitor | 2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016

General

Target

2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016
Size

546KB
Sample

220525-akazkacgc3
MD5

ea8bd15c924883beb0675399bc9e790a
SHA1

0b18ec8eaa1b11315be4d08618f2df14d60a9be1
SHA256

2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016
SHA512

7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6

Score

10^/10

Malware Config

Extracted

Family

webmonitor

C2

roxter666.wm01.to:443

Attributes

config_key
9rwqIhLhP1v4mc4fDkpMWCPyZZA3jLtP
private_key
ifcSJLpGN
url_path
/recv5.php

Targets

- Target
  
  2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016
- Size
  
  546KB
- MD5
  
  ea8bd15c924883beb0675399bc9e790a
- SHA1
  
  0b18ec8eaa1b11315be4d08618f2df14d60a9be1
- SHA256
  
  2699fd4e118ec814f98e7b62546f8d4d10b28fbef3cafe4442a920d81f6a9016
- SHA512
  
  7d0c8cadee1a10cdcc039603a114f39cbf9b514a90d98f3142eb300bd73082672e7dae7cc2611f28e89175d600964a7f81cfd5c045b92212cd1dff5ee1665ce6
Score

10^/10

webmonitor backdoor infostealer persistence rat suricata upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor Payload
- suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
  suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
  suricata
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RevcodeRat, WebMonitorRat

WebMonitor Payload

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Unexpected DNS network traffic destination

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2