webmonitor | 16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e

General

Target

16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe
Size

583KB
MD5

1be5dfb676ea45c9b295f1ea843352bc
SHA1

7c116f899466987ab92b393d9b9dd4f423ad2670
SHA256

16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e
SHA512

c96dc8b6af3b1c6e0a894caefb30637b73271492b7996d202f1e2f4044986789d27f0a5355175e2fa2080b0e8a19684c9bea333e745eba753603d65e51cf79f9

Score

10^/10

webmonitor backdoor infostealer rat suricata upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1464-77-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/1464-78-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/1464-79-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-67-0x0000000002070000-0x0000000002159000-memory.dmp	upx
behavioral1/memory/1464-69-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1464-71-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1464-72-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1464-74-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1464-76-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1464-77-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1464-78-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1464-79-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FGFpvS.url	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	139.175.55.244
Destination IP	77.88.8.8
Destination IP	180.76.76.76
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	123.125.81.6
Destination IP	91.239.100.100
Destination IP	101.226.4.6

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1972 set thread context of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe
1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2008	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	27
PID 1972 wrote to memory of 2008	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	27
PID 1972 wrote to memory of 2008	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	27
PID 1972 wrote to memory of 2008	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	27
PID 2008 wrote to memory of 1760	2008	csc.exe	29
PID 2008 wrote to memory of 1760	2008	csc.exe	29
PID 2008 wrote to memory of 1760	2008	csc.exe	29
PID 2008 wrote to memory of 1760	2008	csc.exe	29
PID 1972 wrote to memory of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30
PID 1972 wrote to memory of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30
PID 1972 wrote to memory of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30
PID 1972 wrote to memory of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30
PID 1972 wrote to memory of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30
PID 1972 wrote to memory of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30
PID 1972 wrote to memory of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30
PID 1972 wrote to memory of 1464	1972	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	30

C:\Users\Admin\AppData\Local\Temp\16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe
"C:\Users\Admin\AppData\Local\Temp\16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5wwggsf3\5wwggsf3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BC7.tmp" "c:\Users\Admin\AppData\Local\Temp\5wwggsf3\CSC3B816806D684E0B911ACC8411EF7728.TMP"
    3⤵
    PID:1760
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5wwggsf3\5wwggsf3.dll

Filesize
14KB

MD5
e9f57640ccbb11a06b0768f99dd44c69

SHA1
30a71db9431e4351ee5e2640a67bc81a90936980

SHA256
bc10174aa72d910bbe2512e38a4c5503321a18324cd2101a82fbd90db957da2b

SHA512
58f49155448c9709603c7ebb117a13e7f72fd89843036f79503c08a98bab7b79c2ea54ccce3e451f06bfd023164a6a54802a40d245856f442ba362882093df64

Download Submit
C:\Users\Admin\AppData\Local\Temp\5wwggsf3\5wwggsf3.pdb

Filesize
47KB

MD5
be4be2aafa687be36df28a22564ca44f

SHA1
15ca7e09d16202f359992f23356022eff0542046

SHA256
31bac33b3fa81c55a864bcefd60945eb5eb8e1e8fd1e641dd9d51383e14fae7e

SHA512
eb13f9994fe30661fdfe1ac0fc0cd90efc80b2088ed52f4b9d1b95eff4700e5ffd2f5d4dbadef734205487df923eea72292251156d853e61bb590c0b60080fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5BC7.tmp

Filesize
1KB

MD5
c3791355ae68684210a5a0bfbabf1fb5

SHA1
1f2b7fa11ed2351893ecf70e576fadebe851d5f4

SHA256
c030778233ba09a491c718c813b16e02069796b989ad89515ce9499d8c6c7af5

SHA512
1e6ed09c23eff6b9fcd297c7eb40789840639505fdd19a7b07928acd941570d699fcb63f557c9cd1e89163ab48d4633dfa0b4804bbbcbc1f2dd86f5a6f1a7523

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5wwggsf3\5wwggsf3.0.cs

Filesize
27KB

MD5
c1e277911a0bb12bc30f2de9d2805aea

SHA1
e91bbd080c2148fa4fd4389f7b9bf7b3df1d559b

SHA256
50b6b56f66a192dc2778bae2a1c2ede167be01a0dc4adffc71aaa147556dcffe

SHA512
c610e386287bbbdc276405d8cc907c8db803ba6ebde07eb64fa36daff8a28722b8f794157e4c5b8569814697a5c419631d2c386500a1e2d2214e31972b9ddd49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5wwggsf3\5wwggsf3.cmdline

Filesize
312B

MD5
644fef751712fd3b4b81b83522b2b961

SHA1
705f2d57685c2134183d67f9706472ad49913865

SHA256
96b41a8bac55482597deeebe25d165bb7730423b1235c5d03dc3c0547fa3f56f

SHA512
5a0f72860047356a9cb8d511d57580e2b93464fc5bded95a3757784db1bf7d332ba765650e6ce683b53159e543e01a016fafb674aaaae54a7a4011f4315314df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5wwggsf3\CSC3B816806D684E0B911ACC8411EF7728.TMP

Filesize
1KB

MD5
6039f16e94797bd73e58a242054fe9a7

SHA1
160823383f2a6d24ebd562d896a600e9084640a4

SHA256
40bd11ca9c5c01b854653c1d13942b5b8d49e9c51a6dcc86f4b3b38155ee20f7

SHA512
10e580f1f39cd592811e68e75942468009611346efb3e648be0cd154e4ce762c1d7fa2022d6b58cc95ed4a9c8430ac3e279ebc0e04898291108459c11d0f4092

Download Submit
memory/1464-74-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1464-79-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1464-78-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1464-77-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1464-76-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1464-72-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1464-71-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1464-68-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1464-69-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1972-67-0x0000000002070000-0x0000000002159000-memory.dmp

Filesize
932KB

Download
memory/1972-66-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1972-54-0x0000000000220000-0x00000000002BA000-memory.dmp

Filesize
616KB

Download
memory/1972-65-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1972-64-0x0000000004D50000-0x0000000004DB8000-memory.dmp

Filesize
416KB

Download
memory/1972-63-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing