Analysis
-
max time kernel
68s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
Resource
win10v2004-20220414-en
General
-
Target
be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe
-
Size
64KB
-
MD5
b2a52460d7ddcf0d1eb6cb98171309da
-
SHA1
fe2ae9c1d227e045351d4c8e64089cade6ca2f48
-
SHA256
be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc
-
SHA512
d332b3cefa05f13338ebfdf5d2f87de593d82371ad950d815a8b5e4c41f06fb8a8722ab9da77286c7d6da82effc2faa4b7de246943f86f39e91ce3c926deb8cd
Malware Config
Extracted
guloader
https://drive.google.com/uc?export=download&id=1YqiJ4rfI-Gtvq2s00N_eqstSWsnL_fgd
Extracted
webmonitor
olaviqs.wm01.to:443
-
config_key
7GfpikpHRvmQe3t81PSe02B3qwlPiFPx
-
private_key
JklcEIRIO
-
url_path
/recv5.php
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor Payload 1 IoCs
resource yara_rule behavioral1/memory/1380-74-0x0000000000400000-0x0000000000553000-memory.dmp family_webmonitor -
resource yara_rule behavioral1/memory/1380-69-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral1/memory/1380-71-0x0000000000400000-0x00000000004F6000-memory.dmp upx behavioral1/memory/1380-74-0x0000000000400000-0x0000000000553000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 1380 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 1380 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1376 set thread context of 1380 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 28 -
Program crash 1 IoCs
pid pid_target Process procid_target 1104 1380 WerFault.exe 28 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1376 wrote to memory of 1380 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 28 PID 1376 wrote to memory of 1380 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 28 PID 1376 wrote to memory of 1380 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 28 PID 1376 wrote to memory of 1380 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 28 PID 1376 wrote to memory of 1380 1376 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 28 PID 1380 wrote to memory of 1104 1380 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 31 PID 1380 wrote to memory of 1104 1380 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 31 PID 1380 wrote to memory of 1104 1380 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 31 PID 1380 wrote to memory of 1104 1380 be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"C:\Users\Admin\AppData\Local\Temp\be684c0623c1f226849c386f594c2626c14c73470a989a8907a03c258e01abfc.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 13803⤵
- Program crash
PID:1104
-
-