webmonitor | 396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc

General

Target

396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe
Size

819KB
MD5

5565f0e1f3d19760c449fc3b01a61a45
SHA1

0c62e6457299dce75b66db6965c4c1f13f4cb663
SHA256

396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc
SHA512

36150a9ee821325bbe7dd03417feecdd546777ad19c2c6c11404e2233521b5ee4faf831bbc9a8ac2a136f51197016cf065207b9535a8cd21da7bdbec9b281259

Score

10^/10

webmonitor backdoor infostealer rat suricata upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4608-145-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4608-146-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/4608-147-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-142-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4608-143-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4608-144-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4608-145-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4608-146-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/4608-147-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GUPTIW.url	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe

Unexpected DNS network traffic destination 41 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	180.76.76.76
Destination IP	139.175.55.244
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	101.226.4.6
Destination IP	123.125.81.6
Destination IP	101.226.4.6
Destination IP	123.125.81.6
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	89.233.43.71
Destination IP	123.125.81.6
Destination IP	77.88.8.8
Destination IP	91.239.100.100
Destination IP	114.114.114.114
Destination IP	77.88.8.8
Destination IP	139.175.55.244
Destination IP	180.76.76.76
Destination IP	1.2.4.8
Destination IP	89.233.43.71
Destination IP	180.76.76.76
Destination IP	89.233.43.71
Destination IP	91.239.100.100
Destination IP	101.226.4.6
Destination IP	139.175.55.244
Destination IP	180.76.76.76
Destination IP	89.233.43.71
Destination IP	77.88.8.8
Destination IP	77.88.8.8
Destination IP	139.175.55.244
Destination IP	1.2.4.8
Destination IP	101.226.4.6
Destination IP	91.239.100.100
Destination IP	123.125.81.6
Destination IP	101.226.4.6
Destination IP	77.88.8.8
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	91.239.100.100

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3532 set thread context of 4608	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe
3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 1756	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	82
PID 3532 wrote to memory of 1756	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	82
PID 3532 wrote to memory of 1756	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	82
PID 1756 wrote to memory of 2276	1756	csc.exe	84
PID 1756 wrote to memory of 2276	1756	csc.exe	84
PID 1756 wrote to memory of 2276	1756	csc.exe	84
PID 3532 wrote to memory of 4608	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	85
PID 3532 wrote to memory of 4608	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	85
PID 3532 wrote to memory of 4608	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	85
PID 3532 wrote to memory of 4608	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	85
PID 3532 wrote to memory of 4608	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	85
PID 3532 wrote to memory of 4608	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	85
PID 3532 wrote to memory of 4608	3532	396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe	85

C:\Users\Admin\AppData\Local\Temp\396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe
"C:\Users\Admin\AppData\Local\Temp\396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE999.tmp" "c:\Users\Admin\AppData\Local\Temp\zxkwx4tu\CSC536D0C122A6743A38D307A14D35A4651.TMP"
    3⤵
    PID:2276
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE999.tmp

Filesize
1KB

MD5
6b9f4e254fe8d8509548773c6a7661a5

SHA1
14363ee09d19669dbcffae7eb5ffd504dba5b535

SHA256
4140e8d30f22e17659b2ae5fdf7edb1e64299f318c92a7db5a56605101fe52ab

SHA512
04afea9afbb89e5cc1455587235ef26d297d8adc687342ef2755b9fe65136d1e5ff6fe79b3f7454d500aceb1bf200810762f70eb058f0410ca6d661f29ccc22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.dll

Filesize
6KB

MD5
f978a92adacdec12908a83ad21a92ff6

SHA1
1edfd9085162ce1049543a743347d20a2246bcf5

SHA256
7251df9618007a03bdf98ed2b6853076737fb01b5396f726a5767d188cd3ecc0

SHA512
bb3cdd03300308bdaa35baf4a15fd8cc699f89a6527c9e44f9b7526817f7d61b9c21a85b9971d7d0cd820b4d2948e2659fd4e9643c2a73502f19b539c3dcac91

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.pdb

Filesize
15KB

MD5
0f7bdf43889761ac1d3488b4aab055a5

SHA1
1d8828747a32d885504b527c6bf9d65820a20c0b

SHA256
5b52cb5bbce80279d433eca7a8993ea54f2c44d5343d088bfb9577553a9bb0d7

SHA512
ef99ce2fd3e607b674bad30d46d91aee9bc77f4d8546990f4a7f8fadd6eda6ed103169decfda42a355d02dc363d0ff1426427be316e787b1882ff4522c770499

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxkwx4tu\CSC536D0C122A6743A38D307A14D35A4651.TMP

Filesize
1KB

MD5
d05722465507cecc220c4266c9ae887f

SHA1
a2b021c1e3d35e367b4bae278e441be5ee5a1578

SHA256
0da0589c930cce41a7fc04c8670b69383c01d8ab2e8f0127077d8377a315b72f

SHA512
afaae1daa0f22112b4134296209ef213864e85257e0b3c52d5b783e8e54d1c8663b41d2f85a679a108312ef8125df1f6d9abd181c7aa00c3338d6385e8a12848

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.0.cs

Filesize
2KB

MD5
60cee7b5566d9b1dc07b84a8f38129b0

SHA1
066c4e3924ab6431e61b68a456c64d5eea9a935e

SHA256
3ee2d64479a7139bae11c9d9a29d19783031258be171d52e2590b84fbee25186

SHA512
0d7fd180eb4bcc026345ed2711a2755652ea3179660b6dff4b1521115f7a271cea6b7b599df5ef37bbb36d5e294f344f8037efd4d522c077caad0c2c7323bda7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.cmdline

Filesize
312B

MD5
087450f63fb3642f9b231f6c594b41a2

SHA1
5c0541469d18bded5808d069a478e2014f0a02d9

SHA256
f8669fa8bac8b305a6b5d6a9c0f654bc5f6b4be47c281b05227508f26fa8c8df

SHA512
c9e4a7c04b24ec7cf7e74ce5dbf12ce1f94312ee27798da741fe0f58c5014debde0b28402ce8b568811a76f53c922ac28e7d57b85497aff19e3bf78e8a66c333

Download Submit
memory/3532-130-0x0000000000380000-0x0000000000454000-memory.dmp

Filesize
848KB

Download
memory/3532-139-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/3532-140-0x0000000005580000-0x000000000561C000-memory.dmp

Filesize
624KB

Download
memory/4608-142-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4608-143-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4608-144-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4608-145-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4608-146-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/4608-147-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing