webmonitor | 089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7

General

Target

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7
Size

1.5MB
Sample

220530-z9b1laffbn
MD5

a95b331fccf2956d61809a5cd4c8ae80
SHA1

2c174632ebdb5a799763d0d798f73513065ec28c
SHA256

089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7
SHA512

be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22

Score

10^/10

Malware Config

Extracted

Family

webmonitor

C2

preetha.wm01.to:443

Attributes

config_key
QuvlUX1F0t9VVObPIMdFN2IC4RdIDe8m
private_key
32i3qiVRG
url_path
/recv5.php

Targets

- Target
  
  089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7
- Size
  
  1.5MB
- MD5
  
  a95b331fccf2956d61809a5cd4c8ae80
- SHA1
  
  2c174632ebdb5a799763d0d798f73513065ec28c
- SHA256
  
  089a955d548f789370a8cacbf2c3f35f34b10cb087686ddada98db5dfc717bf7
- SHA512
  
  be7a0217dae7eb90974aeffde0c3ca660f07fb9fc8ade2766455bbffee93c6fe5d081a78ea1a4cddbe29da359912f5f2f98a38fa27154cb39d3142bb196d9e22
Score

10^/10

webmonitor backdoor infostealer persistence rat upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor Payload
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RevcodeRat, WebMonitorRat

WebMonitor Payload

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Unexpected DNS network traffic destination

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2