webmonitor | 16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e

General

Target

16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe
Size

583KB
MD5

1be5dfb676ea45c9b295f1ea843352bc
SHA1

7c116f899466987ab92b393d9b9dd4f423ad2670
SHA256

16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e
SHA512

c96dc8b6af3b1c6e0a894caefb30637b73271492b7996d202f1e2f4044986789d27f0a5355175e2fa2080b0e8a19684c9bea333e745eba753603d65e51cf79f9

Score

10^/10

webmonitor backdoor infostealer rat suricata upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

resource	yara_rule
behavioral2/memory/3764-145-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/3764-146-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/3764-147-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3764-142-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3764-143-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3764-144-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3764-145-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3764-146-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3764-147-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FGFpvS.url	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe

Unexpected DNS network traffic destination 31 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	1.2.4.8
Destination IP	77.88.8.8
Destination IP	91.239.100.100
Destination IP	101.226.4.6
Destination IP	139.175.55.244
Destination IP	91.239.100.100
Destination IP	89.233.43.71
Destination IP	1.2.4.8
Destination IP	77.88.8.8
Destination IP	180.76.76.76
Destination IP	101.226.4.6
Destination IP	139.175.55.244
Destination IP	91.239.100.100
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	123.125.81.6
Destination IP	123.125.81.6
Destination IP	77.88.8.8
Destination IP	101.226.4.6
Destination IP	114.114.114.114
Destination IP	123.125.81.6
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	139.175.55.244
Destination IP	89.233.43.71
Destination IP	89.233.43.71
Destination IP	77.88.8.8

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 3764	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe
2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1124	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	81
PID 2068 wrote to memory of 1124	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	81
PID 2068 wrote to memory of 1124	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	81
PID 1124 wrote to memory of 2904	1124	csc.exe	85
PID 1124 wrote to memory of 2904	1124	csc.exe	85
PID 1124 wrote to memory of 2904	1124	csc.exe	85
PID 2068 wrote to memory of 3764	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	86
PID 2068 wrote to memory of 3764	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	86
PID 2068 wrote to memory of 3764	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	86
PID 2068 wrote to memory of 3764	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	86
PID 2068 wrote to memory of 3764	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	86
PID 2068 wrote to memory of 3764	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	86
PID 2068 wrote to memory of 3764	2068	16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe	86

C:\Users\Admin\AppData\Local\Temp\16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe
"C:\Users\Admin\AppData\Local\Temp\16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2441.tmp" "c:\Users\Admin\AppData\Local\Temp\3fxb53ls\CSCD601AFE82C1E434BBDEE37521815D1E6.TMP"
    3⤵
    PID:2904
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.dll

Filesize
14KB

MD5
18992d0e76a3dd5fd42b27a2a3d3d2a5

SHA1
23ccda7deea027925e1f5aadee906c28d0962c90

SHA256
f1d45648a64d4eb71e2572f988213a5ae2698a17923c0f1b99f370be70561dca

SHA512
c993aab439c5fcab8770d46e155aa81f53917338ced294596a8dc87a34a1a9498ac8a0f4c5c8d1df89c1e004a319fb903bc2259c155142474b7d58375cc84b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.pdb

Filesize
47KB

MD5
d612e8283977b4bbd38eaab2b41a4888

SHA1
d742f65e4f047b38cbb1bb6a59477d09471626c6

SHA256
a32f087bea316615f131812d8465138f3d02eb4e2669ec60e88c3534c0d49f0b

SHA512
36bd4163a8c0e89aa5de89637fc85fdb076459e79691d9eded2fe5d81617c511cc100b1ca9c56bbeab086d6ca3ca408b47ea88e3aa534e2da3f497ccee1d3577

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2441.tmp

Filesize
1KB

MD5
989bb4ee4dd569b53d44d429dcafbb33

SHA1
5a358b8181e88139f7c8799027c8aca84509a95f

SHA256
871aa05031e72c5f4cfdfb084aa6b5f4ab0c6b48658a65e5b1d6433f2819b738

SHA512
50b6ab460f26feceb39723e6dc13d5e5710db0077d539633b52e6d109f692aac46af853b103d2f6dd14250076b9325fe86f99167f4d07ebc0435b10a48728b55

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.0.cs

Filesize
27KB

MD5
c1e277911a0bb12bc30f2de9d2805aea

SHA1
e91bbd080c2148fa4fd4389f7b9bf7b3df1d559b

SHA256
50b6b56f66a192dc2778bae2a1c2ede167be01a0dc4adffc71aaa147556dcffe

SHA512
c610e386287bbbdc276405d8cc907c8db803ba6ebde07eb64fa36daff8a28722b8f794157e4c5b8569814697a5c419631d2c386500a1e2d2214e31972b9ddd49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.cmdline

Filesize
312B

MD5
9356a062cd3b4495dbfc48806b071dc9

SHA1
11553055ecba073b58e08df2a712e6427ff7aaf4

SHA256
eb14f7b541bf61a2611164336275e9d1f1202eb45cccc5651aaaf566e1b3b76d

SHA512
c81baa6d9f62a43960f8f40e2c78475c1be05dfea1ddd1792240aa12b1934ff86cb2bf3cdeaa031475baec922d7053db5add5937443c1a4379330778f42fe7c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3fxb53ls\CSCD601AFE82C1E434BBDEE37521815D1E6.TMP

Filesize
1KB

MD5
18b6363ba5ec3307b4a96d7db9c6a638

SHA1
c3ea7f27df9fd8cd36e06587f61b80714a7c0a7c

SHA256
15bde61afa04b0186e569b1268dbf0319ee1929b38881f926686438c7f1c6075

SHA512
a9b218ca83c61110c7486513bc07f2e1870b53330abb9d4a7b88982e63cd2146ee80b51bb965c84e21be18a9100a808709017b6823ef9460991109cf1187c66c

Download Submit
memory/2068-140-0x0000000005900000-0x000000000599C000-memory.dmp

Filesize
624KB

Download
memory/2068-130-0x00000000003B0000-0x000000000044A000-memory.dmp

Filesize
616KB

Download
memory/2068-139-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/3764-142-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3764-143-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3764-144-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3764-145-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3764-146-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3764-147-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing