Analysis
-
max time kernel
37s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
29-05-2022 20:23
Static task
static1
Behavioral task
behavioral1
Sample
0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
Resource
win10v2004-20220414-en
General
-
Target
0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
-
Size
361KB
-
MD5
92175d22a32d45d8d1beadf1e99ad9f6
-
SHA1
13dfbe33cc691dd6533c45d001970f5e6b0e26d0
-
SHA256
0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85
-
SHA512
5ea867093683a1a4f920ad0d4a35b3ce935be982a44ada394d74213dcdea70aff66a93eb782c345c3bbf0bb3ea2f4afb28e6e96d3f08e8eee0997b778d3ac187
Malware Config
Extracted
webmonitor
pitbullcant.wm01.to:443
-
config_key
A7HOB9ROz2LrVrPGPRzC4MVB2KltDr7S
-
private_key
i9KVkEro3
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 2 IoCs
resource yara_rule behavioral1/memory/1836-55-0x0000000000400000-0x00000000004F2000-memory.dmp family_webmonitor behavioral1/memory/1836-57-0x0000000000400000-0x00000000004F2000-memory.dmp family_webmonitor -
resource yara_rule behavioral1/memory/1836-55-0x0000000000400000-0x00000000004F2000-memory.dmp upx behavioral1/memory/1836-57-0x0000000000400000-0x00000000004F2000-memory.dmp upx -
Unexpected DNS network traffic destination 28 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 78.110.93.91 Destination IP 176.126.70.119 Destination IP 95.38.60.115 Destination IP 83.253.69.227 Destination IP 91.190.142.200 Destination IP 103.57.74.74 Destination IP 185.243.215.214 Destination IP 216.158.101.165 Destination IP 216.158.110.231 Destination IP 77.240.75.131 Destination IP 46.209.59.66 Destination IP 217.219.115.141 Destination IP 217.215.237.209 Destination IP 212.214.229.170 Destination IP 212.164.234.66 Destination IP 78.38.154.2 Destination IP 217.25.223.39 Destination IP 91.217.108.19 Destination IP 94.183.42.232 Destination IP 194.16.56.47 Destination IP 202.46.32.19 Destination IP 83.233.164.43 Destination IP 195.189.24.132 Destination IP 178.215.76.180 Destination IP 46.242.56.102 Destination IP 213.115.225.7 Destination IP 195.54.182.166 Destination IP 194.1.154.37 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-3033 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-3033.exe" 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1380 1836 WerFault.exe 21 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1836 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1836 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1836 wrote to memory of 1380 1836 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe 30 PID 1836 wrote to memory of 1380 1836 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe 30 PID 1836 wrote to memory of 1380 1836 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe 30 PID 1836 wrote to memory of 1380 1836 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe"C:\Users\Admin\AppData\Local\Temp\0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 5682⤵
- Program crash
PID:1380
-