Overview

overview

10

Static

static

16914198f5...3e.exe

windows7_x64

10

16914198f5...3e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-06-2022 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe

  • Size

    583KB

  • MD5

    1be5dfb676ea45c9b295f1ea843352bc

  • SHA1

    7c116f899466987ab92b393d9b9dd4f423ad2670

  • SHA256

    16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e

  • SHA512

    c96dc8b6af3b1c6e0a894caefb30637b73271492b7996d202f1e2f4044986789d27f0a5355175e2fa2080b0e8a19684c9bea333e745eba753603d65e51cf79f9

Score
10/10
webmonitorbackdoorinfostealerratsuricataupx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes
  • config_key

    ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4

  • private_key

    X2HBeL4iM

  • url_path

    /recv4.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 3 IoCs
  • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    suricata
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Unexpected DNS network traffic destination 31 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe
    "C:\Users\Admin\AppData\Local\Temp\16914198f56059c5e3fbcb1bb00283da59ad3ff7b06b6bd818ee912f74a42f3e.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2441.tmp" "c:\Users\Admin\AppData\Local\Temp\3fxb53ls\CSCD601AFE82C1E434BBDEE37521815D1E6.TMP"
        3⤵
          PID:2904
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
          PID:3764

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.dll
        Filesize

        14KB

        MD5

        18992d0e76a3dd5fd42b27a2a3d3d2a5

        SHA1

        23ccda7deea027925e1f5aadee906c28d0962c90

        SHA256

        f1d45648a64d4eb71e2572f988213a5ae2698a17923c0f1b99f370be70561dca

        SHA512

        c993aab439c5fcab8770d46e155aa81f53917338ced294596a8dc87a34a1a9498ac8a0f4c5c8d1df89c1e004a319fb903bc2259c155142474b7d58375cc84b90

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.pdb
        Filesize

        47KB

        MD5

        d612e8283977b4bbd38eaab2b41a4888

        SHA1

        d742f65e4f047b38cbb1bb6a59477d09471626c6

        SHA256

        a32f087bea316615f131812d8465138f3d02eb4e2669ec60e88c3534c0d49f0b

        SHA512

        36bd4163a8c0e89aa5de89637fc85fdb076459e79691d9eded2fe5d81617c511cc100b1ca9c56bbeab086d6ca3ca408b47ea88e3aa534e2da3f497ccee1d3577

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\RES2441.tmp
        Filesize

        1KB

        MD5

        989bb4ee4dd569b53d44d429dcafbb33

        SHA1

        5a358b8181e88139f7c8799027c8aca84509a95f

        SHA256

        871aa05031e72c5f4cfdfb084aa6b5f4ab0c6b48658a65e5b1d6433f2819b738

        SHA512

        50b6ab460f26feceb39723e6dc13d5e5710db0077d539633b52e6d109f692aac46af853b103d2f6dd14250076b9325fe86f99167f4d07ebc0435b10a48728b55

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.0.cs
        Filesize

        27KB

        MD5

        c1e277911a0bb12bc30f2de9d2805aea

        SHA1

        e91bbd080c2148fa4fd4389f7b9bf7b3df1d559b

        SHA256

        50b6b56f66a192dc2778bae2a1c2ede167be01a0dc4adffc71aaa147556dcffe

        SHA512

        c610e386287bbbdc276405d8cc907c8db803ba6ebde07eb64fa36daff8a28722b8f794157e4c5b8569814697a5c419631d2c386500a1e2d2214e31972b9ddd49

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\3fxb53ls\3fxb53ls.cmdline
        Filesize

        312B

        MD5

        9356a062cd3b4495dbfc48806b071dc9

        SHA1

        11553055ecba073b58e08df2a712e6427ff7aaf4

        SHA256

        eb14f7b541bf61a2611164336275e9d1f1202eb45cccc5651aaaf566e1b3b76d

        SHA512

        c81baa6d9f62a43960f8f40e2c78475c1be05dfea1ddd1792240aa12b1934ff86cb2bf3cdeaa031475baec922d7053db5add5937443c1a4379330778f42fe7c9

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\3fxb53ls\CSCD601AFE82C1E434BBDEE37521815D1E6.TMP
        Filesize

        1KB

        MD5

        18b6363ba5ec3307b4a96d7db9c6a638

        SHA1

        c3ea7f27df9fd8cd36e06587f61b80714a7c0a7c

        SHA256

        15bde61afa04b0186e569b1268dbf0319ee1929b38881f926686438c7f1c6075

        SHA512

        a9b218ca83c61110c7486513bc07f2e1870b53330abb9d4a7b88982e63cd2146ee80b51bb965c84e21be18a9100a808709017b6823ef9460991109cf1187c66c

        Download Submit
      • memory/1124-131-0x0000000000000000-mapping.dmp
        Download
      • memory/2068-140-0x0000000005900000-0x000000000599C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/2068-130-0x00000000003B0000-0x000000000044A000-memory.dmp
        Filesize

        616KB

        Download
      • memory/2068-139-0x0000000005050000-0x00000000050E2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2904-134-0x0000000000000000-mapping.dmp
        Download
      • memory/3764-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3764-142-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3764-143-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3764-144-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3764-145-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3764-146-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/3764-147-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download