webmonitor | a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc

General

Target

a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe
Size

1.7MB
MD5

9eeb9b33a63440d8b5558edf0c007db4
SHA1

62f57d397ef643b9c3b224cd8aebf3f988976597
SHA256

a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc
SHA512

6c1757d4956c38eb06a2aad711e3c45b58046b9856d5eb887222f061176e41ea777ae750d3ee3c82eb43433a8959057c75582ecda72324d817dac257205290b0

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

pitbullcant.wm01.to:443

Attributes

config_key
A7HOB9ROz2LrVrPGPRzC4MVB2KltDr7S
private_key
i9KVkEro3
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 4 IoCs

resource	yara_rule
behavioral2/memory/1928-138-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral2/memory/1928-139-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral2/memory/1928-140-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor
behavioral2/memory/1928-142-0x0000000000400000-0x00000000004F2000-memory.dmp	family_webmonitor

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1928-131-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/1928-136-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/1928-137-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/1928-138-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/1928-139-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/1928-140-0x0000000000400000-0x00000000004F2000-memory.dmp	upx
behavioral2/memory/1928-142-0x0000000000400000-0x00000000004F2000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3396 set thread context of 1928	3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe	83

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1928	svchost.exe
Token: SeCreatePagefilePrivilege	1928	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe
3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe
3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe
3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe
3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1928	3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe	83
PID 3396 wrote to memory of 1928	3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe	83
PID 3396 wrote to memory of 1928	3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe	83
PID 3396 wrote to memory of 1928	3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe	83
PID 3396 wrote to memory of 1928	3396	a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe	83
PID 1928 wrote to memory of 1432	1928	svchost.exe	86
PID 1928 wrote to memory of 1432	1928	svchost.exe	86
PID 1928 wrote to memory of 1432	1928	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe
"C:\Users\Admin\AppData\Local\Temp\a06c169bdabb7410fef4d2b20a4c0ae0d96d268da41f496c5c013492a6b103fc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qM8dyY8F3Dg3Wbpu.bat" "
    3⤵
    PID:1432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qM8dyY8F3Dg3Wbpu.bat

Filesize
204B

MD5
464fd160fca908146e30421d5ef4f3e8

SHA1
d3c5dd19ec431409d4e6971e2c8f4c1f3995c06a

SHA256
65a8ef285c68387701a611d0c1b94a7ddd74ca548c094b06f2b1c4ddcad023a6

SHA512
8e138d884bb1aaa470e04b49f0fca400f87e4ec0b37d0811a42db556fa1101291a760d1dbd50f5ed67bfae1c62aad11de6f2b3b9ba9f4064a893544d5d6a6c02

Download Submit
memory/1928-131-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1928-136-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1928-137-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1928-138-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1928-139-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1928-140-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1928-142-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing