General

  • Target

    0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06

  • Size

    586KB

  • Sample

    220604-s3w9madch7

  • MD5

    b26c6f36a8711168dc8d2882a6cab0c2

  • SHA1

    e133a7dad21664672df96f0e6c956effe2ac7350

  • SHA256

    0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06

  • SHA512

    f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910

Malware Config

Extracted

Family

webmonitor

C2

holmes101.wm01.to:443

Attributes
  • config_key

    XKulJBlUogMPPhL5GnUay2DqaaoA6mr7

  • private_key

    rwh8ivgQh

  • url_path

    /recv4.php

Targets

    • Target

      0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06

    • Size

      586KB

    • MD5

      b26c6f36a8711168dc8d2882a6cab0c2

    • SHA1

      e133a7dad21664672df96f0e6c956effe2ac7350

    • SHA256

      0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06

    • SHA512

      f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks