webmonitor | 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85

General

Target

0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
Size

361KB
MD5

92175d22a32d45d8d1beadf1e99ad9f6
SHA1

13dfbe33cc691dd6533c45d001970f5e6b0e26d0
SHA256

0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85
SHA512

5ea867093683a1a4f920ad0d4a35b3ce935be982a44ada394d74213dcdea70aff66a93eb782c345c3bbf0bb3ea2f4afb28e6e96d3f08e8eee0997b778d3ac187

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Extracted

Family

webmonitor

C2

pitbullcant.wm01.to:443

Attributes

config_key
A7HOB9ROz2LrVrPGPRzC4MVB2KltDr7S
private_key
i9KVkEro3
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1836-55-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral1/memory/1836-57-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1836-55-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1836-57-0x0000000000400000-0x00000000004F2000-memory.dmp	upx

Unexpected DNS network traffic destination 28 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	78.110.93.91
Destination IP	176.126.70.119
Destination IP	95.38.60.115
Destination IP	83.253.69.227
Destination IP	91.190.142.200
Destination IP	103.57.74.74
Destination IP	185.243.215.214
Destination IP	216.158.101.165
Destination IP	216.158.110.231
Destination IP	77.240.75.131
Destination IP	46.209.59.66
Destination IP	217.219.115.141
Destination IP	217.215.237.209
Destination IP	212.214.229.170
Destination IP	212.164.234.66
Destination IP	78.38.154.2
Destination IP	217.25.223.39
Destination IP	91.217.108.19
Destination IP	94.183.42.232
Destination IP	194.16.56.47
Destination IP	202.46.32.19
Destination IP	83.233.164.43
Destination IP	195.189.24.132
Destination IP	178.215.76.180
Destination IP	46.242.56.102
Destination IP	213.115.225.7
Destination IP	195.54.182.166
Destination IP	194.1.154.37

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\WebMonitor-3033 = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-3033.exe"	0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1380 1836 WerFault.exe 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

pid process

1836 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

description pid process

Token: SeShutdownPrivilege 1836 0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

pid	pid_target	process	target process
1380	1836	WerFault.exe	0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

pid	process
1836	0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

description	pid	process
Token: SeShutdownPrivilege	1836	0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe

description	pid	process	target process
PID 1836 wrote to memory of 1380	1836	0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe	WerFault.exe
PID 1836 wrote to memory of 1380	1836	0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe	WerFault.exe
PID 1836 wrote to memory of 1380	1836	0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe	WerFault.exe
PID 1836 wrote to memory of 1380	1836	0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe
"C:\Users\Admin\AppData\Local\Temp\0d80dfd6210c601119788192d13201c70ad7ec9375a3f308ee1322aaab79cb85.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 568
2⤵
- Program crash
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-59-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1836-55-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1836-56-0x0000000002C80000-0x0000000003C80000-memory.dmp

Filesize
16.0MB

Download
memory/1836-57-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1836-58-0x0000000002C80000-0x0000000003C80000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads