webmonitor | 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06

General

Target

0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
Size

586KB
Sample

220604-s3w9madch7
MD5

b26c6f36a8711168dc8d2882a6cab0c2
SHA1

e133a7dad21664672df96f0e6c956effe2ac7350
SHA256

0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512

f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910

Score

10^/10

Malware Config

Extracted

Family

webmonitor

C2

holmes101.wm01.to:443

Attributes

config_key
XKulJBlUogMPPhL5GnUay2DqaaoA6mr7
private_key
rwh8ivgQh
url_path
/recv4.php

Targets

- Target
  
  0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
- Size
  
  586KB
- MD5
  
  b26c6f36a8711168dc8d2882a6cab0c2
- SHA1
  
  e133a7dad21664672df96f0e6c956effe2ac7350
- SHA256
  
  0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
- SHA512
  
  f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
Score

10^/10

webmonitor backdoor infostealer persistence rat suricata upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor Payload
- suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
  suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
  suricata
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RevcodeRat, WebMonitorRat

WebMonitor Payload

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Unexpected DNS network traffic destination

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2