General

  • Target

    a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc

  • Size

    1.7MB

  • Sample

    220625-hcz8gsbhd7

  • MD5

    9eeb9b33a63440d8b5558edf0c007db4

  • SHA1

    62f57d397ef643b9c3b224cd8aebf3f988976597

  • SHA256

    a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc

  • SHA512

    6c1757d4956c38eb06a2aad711e3c45b58046b9856d5eb887222f061176e41ea777ae750d3ee3c82eb43433a8959057c75582ecda72324d817dac257205290b0

Malware Config

Extracted

Family

webmonitor

C2

pitbullcant.wm01.to:443

Attributes
  • config_key

    A7HOB9ROz2LrVrPGPRzC4MVB2KltDr7S

  • private_key

    i9KVkEro3

  • url_path

    /recv5.php

Targets

    • Target

      a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc

    • Size

      1.7MB

    • MD5

      9eeb9b33a63440d8b5558edf0c007db4

    • SHA1

      62f57d397ef643b9c3b224cd8aebf3f988976597

    • SHA256

      a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc

    • SHA512

      6c1757d4956c38eb06a2aad711e3c45b58046b9856d5eb887222f061176e41ea777ae750d3ee3c82eb43433a8959057c75582ecda72324d817dac257205290b0

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

      suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks