webmonitor | 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4

General

Target

3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
Size

847KB
MD5

e3f248b8468a9d57209794923b560237
SHA1

27b209c9b50e891d1d5975cc79ed910a263c9cec
SHA256

3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4
SHA512

5f3302de21003d249bab7b5c87bf69f2d02126211b58725cacc27114c47ce282c0845654feaf01fc6cef07ddeb4ca0d6dff298f23671b1455c1b50da622d15d2

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1672-78-0x0000000000400000-0x00000000004EA000-memory.dmp	family_webmonitor
behavioral1/memory/1672-80-0x0000000000400000-0x00000000004EA000-memory.dmp	family_webmonitor

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/880-67-0x0000000004CF0000-0x0000000004DDA000-memory.dmp	upx
behavioral1/memory/1672-69-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1672-71-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1672-72-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1672-74-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1672-75-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1672-77-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1672-78-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral1/memory/1672-80-0x0000000000400000-0x00000000004EA000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\RevCode-461b = "C:\\Users\\Admin\\AppData\\Roaming\\RevCode-461b.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1160	1672	WerFault.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 956	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	27
PID 880 wrote to memory of 956	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	27
PID 880 wrote to memory of 956	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	27
PID 880 wrote to memory of 956	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	27
PID 956 wrote to memory of 1752	956	csc.exe	29
PID 956 wrote to memory of 1752	956	csc.exe	29
PID 956 wrote to memory of 1752	956	csc.exe	29
PID 956 wrote to memory of 1752	956	csc.exe	29
PID 880 wrote to memory of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30
PID 880 wrote to memory of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30
PID 880 wrote to memory of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30
PID 880 wrote to memory of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30
PID 880 wrote to memory of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30
PID 880 wrote to memory of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30
PID 880 wrote to memory of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30
PID 880 wrote to memory of 1672	880	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	30
PID 1672 wrote to memory of 1160	1672	vbc.exe	31
PID 1672 wrote to memory of 1160	1672	vbc.exe	31
PID 1672 wrote to memory of 1160	1672	vbc.exe	31
PID 1672 wrote to memory of 1160	1672	vbc.exe	31

C:\Users\Admin\AppData\Local\Temp\3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
"C:\Users\Admin\AppData\Local\Temp\3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nh3i3wgb\nh3i3wgb.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A63.tmp" "c:\Users\Admin\AppData\Local\Temp\nh3i3wgb\CSCA7C518A885904C81B31EBD2649DBFE8F.TMP"
    3⤵
    PID:1752
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 344
    3⤵
    - Program crash
    PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3A63.tmp

Filesize
1KB

MD5
22deb7f3b270809fd74fe479c08f1c84

SHA1
baca748aabc36be12e0e05dde14af16ab18dda7d

SHA256
139006cedc790a79ded7d3ee0f8721039ec8b0c882f64eceb64e98489cd8287a

SHA512
e43c88d1fe4bbc58f37a7b98d55569ce4e7ce21cd452893a4b406237850391bced9f77dfb9d8c59eea3bdb9bb9e2752b668d7b4286cb5f46469d1d4d88823c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\nh3i3wgb\nh3i3wgb.dll

Filesize
12KB

MD5
5b286c59e59ca4725f580a62658342f1

SHA1
a685f27aab05f39a693b2ef021fcf9e564bc9ac3

SHA256
08694009d727c2dfd9703a444d7bc80b6ddae2d424684d5ea3e06158ff0a30b8

SHA512
c96df77c31d8223aa4ec405f46e47c4522343c0af70e086c71a3024f16fe90d402c3749f8bb7f52451fa26407e03e54b0cd62891a194fc84a420c32c6c1619e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nh3i3wgb\nh3i3wgb.pdb

Filesize
39KB

MD5
4fc5a1c15dfb3adbf1fe684cb7ed99d3

SHA1
396af66d11cc00eacbd77c5dbbf70ef98e829ce7

SHA256
9fc55bd48101d1742728b5cdd41fc330bb74e7585d61847686394a56f76f9d12

SHA512
8f8bf638b2cbc50e5f6a8e2222ea49ccaf5221a069aa47b08d8bd408df18f578327fcf7e4a282fd3c47a2f4ed2ced8bdcb39f4342f4c1c831ca4573e5f3dfd92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nh3i3wgb\CSCA7C518A885904C81B31EBD2649DBFE8F.TMP

Filesize
1KB

MD5
adffef9288dca6cbbab9698818de2de6

SHA1
04e66c89dd135219a4fd7429ccee75e67cdf5d90

SHA256
3c81ea4b7d988d491a7d5c2a63144cd241f0ab419f8d049bd8af500f89672029

SHA512
a9ac71cee3a4ee9f706a92f0e545c880b810db6ae12844567841f19f44b4f53f3bbc55119881a633472223726b2a9de4d55f3232d6c7e2dc97d21b833228f106

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nh3i3wgb\nh3i3wgb.0.cs

Filesize
18KB

MD5
8181e2eb98c9b5c53accad15ad864bc2

SHA1
bdc95efd33d7e754f19b95255219b54845eb4733

SHA256
2b4634fe340e0bebb8139806d4c1845af849757634244389d79d6953d9603013

SHA512
60c5dc9a12d25f11a9c86f8a5ea83e2d59bd81f26b4f5e47fd7ebb37c2cb19d9cf2c419f6dd31099f88fc91205aa7f10d13e8762b096a5278204eeb00ff37f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nh3i3wgb\nh3i3wgb.cmdline

Filesize
312B

MD5
f9180cf99765e4cd474a7f67cd443602

SHA1
aa88a8aa588ffd9529cf59c778710d3b99c0c780

SHA256
22d0e2da1b79ef1432c60078fa0d7845738f9e1f31be7a9e50ac3fb5ee7c605b

SHA512
31f4702b8d3b20d040b861832d5aa26d8f7f2b1a1b6efe340a6deb5056ace36c209ba5f0676b4b58211a2594b63520afe9a46b287b5f5ce895d8cf12fd479b7d

Download Submit
memory/880-66-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/880-63-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/880-64-0x00000000010F0000-0x0000000001156000-memory.dmp

Filesize
408KB

Download
memory/880-65-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/880-54-0x0000000001270000-0x000000000134A000-memory.dmp

Filesize
872KB

Download
memory/880-67-0x0000000004CF0000-0x0000000004DDA000-memory.dmp

Filesize
936KB

Download
memory/1672-69-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1672-71-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1672-72-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1672-74-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1672-75-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1672-77-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1672-78-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1672-68-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1672-80-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing