webmonitor | 4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669.exe
Size

361KB
MD5

ee6d202c314430288e1babc3c9256f40
SHA1

e1db7db841535428e0bd482b6fcd4e35a5ec7c33
SHA256

4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669
SHA512

ef6ef49b3e5a57a699b2802d2a53ff48db3230e68944bb1b69f8f77180c283055f2efaee59553c7e19371e0bb904084e178f26cea8312ca55e2280057552ecf2

Score

10^/10

webmonitor backdoor infostealer rat suricata upx

Malware Config

Extracted

Family

webmonitor

qqsola.wm01.to:443

Attributes

config_key
jJYLbTB9TsvWtCPWrodDFU1k5EBbvtuI
private_key
neS5F12vo
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1948-55-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral1/memory/1948-57-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-55-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral1/memory/1948-57-0x0000000000400000-0x00000000004F2000-memory.dmp	upx

Unexpected DNS network traffic destination 13 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	185.243.215.214
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	185.243.215.214

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1948	4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669.exe

C:\Users\Admin\AppData\Local\Temp\4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669.exe
"C:\Users\Admin\AppData\Local\Temp\4393b05a23f05af255589f1c32935811d2e6a8f112e54c956b8c52051e0a4669.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1948-54-0x0000000076571000-0x0000000076573000-memory.dmp

Filesize
8KB

Download
memory/1948-55-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1948-56-0x0000000002CE0000-0x0000000003CE0000-memory.dmp

Filesize
16.0MB

Download
memory/1948-57-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1948-58-0x0000000002CE0000-0x0000000003CE0000-memory.dmp

Filesize
16.0MB

Download