webmonitor | 396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc

General

Target

396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe
Size

819KB
MD5

5565f0e1f3d19760c449fc3b01a61a45
SHA1

0c62e6457299dce75b66db6965c4c1f13f4cb663
SHA256

396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc
SHA512

36150a9ee821325bbe7dd03417feecdd546777ad19c2c6c11404e2233521b5ee4faf831bbc9a8ac2a136f51197016cf065207b9535a8cd21da7bdbec9b281259

Score

10^/10

webmonitor backdoor infostealer rat suricata upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1868-77-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/1868-78-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/1868-79-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-67-0x0000000004D60000-0x0000000004E49000-memory.dmp	upx
behavioral1/memory/1868-69-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1868-72-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1868-71-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1868-74-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1868-76-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1868-77-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1868-78-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1868-79-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GUPTIW.url	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	77.88.8.8
Destination IP	101.226.4.6
Destination IP	91.239.100.100
Destination IP	1.2.4.8
Destination IP	180.76.76.76
Destination IP	139.175.55.244
Destination IP	114.114.114.114
Destination IP	123.125.81.6

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe
1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1936	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	28
PID 1948 wrote to memory of 1936	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	28
PID 1948 wrote to memory of 1936	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	28
PID 1948 wrote to memory of 1936	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	28
PID 1936 wrote to memory of 1288	1936	csc.exe	30
PID 1936 wrote to memory of 1288	1936	csc.exe	30
PID 1936 wrote to memory of 1288	1936	csc.exe	30
PID 1936 wrote to memory of 1288	1936	csc.exe	30
PID 1948 wrote to memory of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31
PID 1948 wrote to memory of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31
PID 1948 wrote to memory of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31
PID 1948 wrote to memory of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31
PID 1948 wrote to memory of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31
PID 1948 wrote to memory of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31
PID 1948 wrote to memory of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31
PID 1948 wrote to memory of 1868	1948	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	31

C:\Users\Admin\AppData\Local\Temp\396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe
"C:\Users\Admin\AppData\Local\Temp\396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kstkmcsx\kstkmcsx.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES935.tmp" "c:\Users\Admin\AppData\Local\Temp\kstkmcsx\CSC2DE696DF1F114929975EB9CB2EB87618.TMP"
    3⤵
    PID:1288
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES935.tmp

Filesize
1KB

MD5
537a0e80f4ba9811b4809927285999db

SHA1
d42a362adb86d8efbad3f39e652eca3a44d8d093

SHA256
f19eb389d8b91eece93c05847344bef8a7380b47653710ebb2394d7ad8a93ad7

SHA512
ac4a30789e80388b19e10ef471962eef05c65f55e2034a745b78bf720e09ae9863e6c3a8726777091b568bbb962954965550ff3f25fd6703c3bc7693bbcf94eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kstkmcsx\kstkmcsx.dll

Filesize
6KB

MD5
c6cd05a84b953beb2173b8cd62d3c412

SHA1
2e54cab7d15a117ac26de936fc99e16c2721359e

SHA256
4f7a2dc9683ea573f97b2baee7985f12a6313497bb4acd02bae29e74378c0f98

SHA512
186fad4ed834fa164e97158018bd273345854c3017486a06fbef3f0d39826322f1e42872805f48861d4f51a0548ad36e32ef5b2bc7620ee1349c39f88c38ce6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kstkmcsx\kstkmcsx.pdb

Filesize
15KB

MD5
9f2fc887977f3008bfa9e82d79f8af1b

SHA1
aff4a0b140325d9e42f5cec2611b961f9f605f9a

SHA256
c83e576431bf65426a6660acc3b75222beaf524f2d05210c234a38749ad9ba1c

SHA512
dcd3f70995c0a8ecaf453b044e86b384a0830454cdf14489b06294767622f6be6f5adf3cb26c35ef6d3baa62558848b2fb4c68e6fa6f74fd35cfbbe701ce6d4e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kstkmcsx\CSC2DE696DF1F114929975EB9CB2EB87618.TMP

Filesize
1KB

MD5
0921a76d6f1144d14c875b83a79c220c

SHA1
68175a8916b93eede961df8c88ddf31e6f5cd550

SHA256
f39fb3465e9091926a0235121c7643c2e234335dabd1a9a0f15da70d9c5c0d95

SHA512
f516b8ee094ba5cc80df1d5b5e81142a55cca263c7af372414200afa2ce7f6bf51a9b7e84157fcbe26bb4345191494c41803f9d4a31f1afb80e39fed1a3e2428

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kstkmcsx\kstkmcsx.0.cs

Filesize
2KB

MD5
60cee7b5566d9b1dc07b84a8f38129b0

SHA1
066c4e3924ab6431e61b68a456c64d5eea9a935e

SHA256
3ee2d64479a7139bae11c9d9a29d19783031258be171d52e2590b84fbee25186

SHA512
0d7fd180eb4bcc026345ed2711a2755652ea3179660b6dff4b1521115f7a271cea6b7b599df5ef37bbb36d5e294f344f8037efd4d522c077caad0c2c7323bda7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kstkmcsx\kstkmcsx.cmdline

Filesize
312B

MD5
939af1cc260cd60578bf0bee392e15d5

SHA1
9fb8ca76b8287e02346424adadab76a3784c50c7

SHA256
1f8648c6f5992f2a81c2ef0877ec012b2967631f7cea91be257136581f305870

SHA512
d9687f868a82fdc80dcb6d12d84abb82d9d5c2a1a7c52f041ecd60f24acf9968bd38cf0b2c29b87db7c2fd74ffc5a85a5472208d0d484420ca0a01be6c473a92

Download Submit
memory/1868-76-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1868-79-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1868-78-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1868-77-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1868-74-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1868-71-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1868-68-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1868-69-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1868-72-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1948-67-0x0000000004D60000-0x0000000004E49000-memory.dmp

Filesize
932KB

Download
memory/1948-54-0x0000000001310000-0x00000000013E4000-memory.dmp

Filesize
848KB

Download
memory/1948-66-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1948-65-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1948-64-0x0000000004CF0000-0x0000000004D58000-memory.dmp

Filesize
416KB

Download
memory/1948-63-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing