General

  • Target

    3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4

  • Size

    847KB

  • Sample

    220701-rxstkshhf5

  • MD5

    e3f248b8468a9d57209794923b560237

  • SHA1

    27b209c9b50e891d1d5975cc79ed910a263c9cec

  • SHA256

    3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4

  • SHA512

    5f3302de21003d249bab7b5c87bf69f2d02126211b58725cacc27114c47ce282c0845654feaf01fc6cef07ddeb4ca0d6dff298f23671b1455c1b50da622d15d2

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes
  • config_key

    ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4

  • private_key

    X2HBeL4iM

  • url_path

    /recv4.php

Targets

    • Target

      3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4

    • Size

      847KB

    • MD5

      e3f248b8468a9d57209794923b560237

    • SHA1

      27b209c9b50e891d1d5975cc79ed910a263c9cec

    • SHA256

      3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4

    • SHA512

      5f3302de21003d249bab7b5c87bf69f2d02126211b58725cacc27114c47ce282c0845654feaf01fc6cef07ddeb4ca0d6dff298f23671b1455c1b50da622d15d2

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor Payload

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Tasks