Overview

overview

10

Static

static

396b8a398d...fc.exe

windows7_x64

10

396b8a398d...fc.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    173s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 10:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe

  • Size

    819KB

  • MD5

    5565f0e1f3d19760c449fc3b01a61a45

  • SHA1

    0c62e6457299dce75b66db6965c4c1f13f4cb663

  • SHA256

    396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc

  • SHA512

    36150a9ee821325bbe7dd03417feecdd546777ad19c2c6c11404e2233521b5ee4faf831bbc9a8ac2a136f51197016cf065207b9535a8cd21da7bdbec9b281259

Score
10/10
webmonitorbackdoorinfostealerratsuricataupx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes
  • config_key

    ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4

  • private_key

    X2HBeL4iM

  • url_path

    /recv4.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor Payload 3 IoCs
  • suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

    suricata
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 1 IoCs
  • Unexpected DNS network traffic destination 41 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe
    "C:\Users\Admin\AppData\Local\Temp\396b8a398dbb41566456dfc4b114b23fcb2842a6f574c0fd7d9033f548a97ffc.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3532
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE999.tmp" "c:\Users\Admin\AppData\Local\Temp\zxkwx4tu\CSC536D0C122A6743A38D307A14D35A4651.TMP"
        3⤵
          PID:2276
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        2⤵
          PID:4608

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Persistence

      Privilege Escalation

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RESE999.tmp
        Filesize

        1KB

        MD5

        6b9f4e254fe8d8509548773c6a7661a5

        SHA1

        14363ee09d19669dbcffae7eb5ffd504dba5b535

        SHA256

        4140e8d30f22e17659b2ae5fdf7edb1e64299f318c92a7db5a56605101fe52ab

        SHA512

        04afea9afbb89e5cc1455587235ef26d297d8adc687342ef2755b9fe65136d1e5ff6fe79b3f7454d500aceb1bf200810762f70eb058f0410ca6d661f29ccc22a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.dll
        Filesize

        6KB

        MD5

        f978a92adacdec12908a83ad21a92ff6

        SHA1

        1edfd9085162ce1049543a743347d20a2246bcf5

        SHA256

        7251df9618007a03bdf98ed2b6853076737fb01b5396f726a5767d188cd3ecc0

        SHA512

        bb3cdd03300308bdaa35baf4a15fd8cc699f89a6527c9e44f9b7526817f7d61b9c21a85b9971d7d0cd820b4d2948e2659fd4e9643c2a73502f19b539c3dcac91

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.pdb
        Filesize

        15KB

        MD5

        0f7bdf43889761ac1d3488b4aab055a5

        SHA1

        1d8828747a32d885504b527c6bf9d65820a20c0b

        SHA256

        5b52cb5bbce80279d433eca7a8993ea54f2c44d5343d088bfb9577553a9bb0d7

        SHA512

        ef99ce2fd3e607b674bad30d46d91aee9bc77f4d8546990f4a7f8fadd6eda6ed103169decfda42a355d02dc363d0ff1426427be316e787b1882ff4522c770499

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\zxkwx4tu\CSC536D0C122A6743A38D307A14D35A4651.TMP
        Filesize

        1KB

        MD5

        d05722465507cecc220c4266c9ae887f

        SHA1

        a2b021c1e3d35e367b4bae278e441be5ee5a1578

        SHA256

        0da0589c930cce41a7fc04c8670b69383c01d8ab2e8f0127077d8377a315b72f

        SHA512

        afaae1daa0f22112b4134296209ef213864e85257e0b3c52d5b783e8e54d1c8663b41d2f85a679a108312ef8125df1f6d9abd181c7aa00c3338d6385e8a12848

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.0.cs
        Filesize

        2KB

        MD5

        60cee7b5566d9b1dc07b84a8f38129b0

        SHA1

        066c4e3924ab6431e61b68a456c64d5eea9a935e

        SHA256

        3ee2d64479a7139bae11c9d9a29d19783031258be171d52e2590b84fbee25186

        SHA512

        0d7fd180eb4bcc026345ed2711a2755652ea3179660b6dff4b1521115f7a271cea6b7b599df5ef37bbb36d5e294f344f8037efd4d522c077caad0c2c7323bda7

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\zxkwx4tu\zxkwx4tu.cmdline
        Filesize

        312B

        MD5

        087450f63fb3642f9b231f6c594b41a2

        SHA1

        5c0541469d18bded5808d069a478e2014f0a02d9

        SHA256

        f8669fa8bac8b305a6b5d6a9c0f654bc5f6b4be47c281b05227508f26fa8c8df

        SHA512

        c9e4a7c04b24ec7cf7e74ce5dbf12ce1f94312ee27798da741fe0f58c5014debde0b28402ce8b568811a76f53c922ac28e7d57b85497aff19e3bf78e8a66c333

        Download Submit
      • memory/1756-131-0x0000000000000000-mapping.dmp
        Download
      • memory/2276-134-0x0000000000000000-mapping.dmp
        Download
      • memory/3532-130-0x0000000000380000-0x0000000000454000-memory.dmp
        Filesize

        848KB

        Download
      • memory/3532-139-0x0000000004C90000-0x0000000004D22000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3532-140-0x0000000005580000-0x000000000561C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4608-141-0x0000000000000000-mapping.dmp
        Download
      • memory/4608-142-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/4608-143-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/4608-144-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/4608-145-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/4608-146-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download
      • memory/4608-147-0x0000000000400000-0x00000000004E9000-memory.dmp
        Filesize

        932KB

        Download