webmonitor | 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4

General

Target

3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
Size

847KB
MD5

e3f248b8468a9d57209794923b560237
SHA1

27b209c9b50e891d1d5975cc79ed910a263c9cec
SHA256

3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4
SHA512

5f3302de21003d249bab7b5c87bf69f2d02126211b58725cacc27114c47ce282c0845654feaf01fc6cef07ddeb4ca0d6dff298f23671b1455c1b50da622d15d2

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4192-145-0x0000000000400000-0x00000000004EA000-memory.dmp	family_webmonitor
behavioral2/memory/4192-146-0x0000000000400000-0x00000000004EA000-memory.dmp	family_webmonitor

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4192-142-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4192-143-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4192-144-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4192-145-0x0000000000400000-0x00000000004EA000-memory.dmp	upx
behavioral2/memory/4192-146-0x0000000000400000-0x00000000004EA000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RevCode-c575 = "C:\\Users\\Admin\\AppData\\Roaming\\RevCode-c575.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe

description	pid	process	target process
PID 4828 set thread context of 4192	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4960 4192 WerFault.exe vbc.exe

pid	pid_target	process	target process
4960	4192	WerFault.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe

pid	process
4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe

description pid process

Token: SeDebugPrivilege 4828 3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe

description	pid	process
Token: SeDebugPrivilege	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.execsc.exe

description	pid	process	target process
PID 4828 wrote to memory of 1912	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	csc.exe
PID 4828 wrote to memory of 1912	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	csc.exe
PID 4828 wrote to memory of 1912	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	csc.exe
PID 1912 wrote to memory of 4776	1912	csc.exe	cvtres.exe
PID 1912 wrote to memory of 4776	1912	csc.exe	cvtres.exe
PID 1912 wrote to memory of 4776	1912	csc.exe	cvtres.exe
PID 4828 wrote to memory of 4192	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	vbc.exe
PID 4828 wrote to memory of 4192	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	vbc.exe
PID 4828 wrote to memory of 4192	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	vbc.exe
PID 4828 wrote to memory of 4192	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	vbc.exe
PID 4828 wrote to memory of 4192	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	vbc.exe
PID 4828 wrote to memory of 4192	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	vbc.exe
PID 4828 wrote to memory of 4192	4828	3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe
"C:\Users\Admin\AppData\Local\Temp\3dc3c502ad14aceb3d6b686de8c5b4364d83a2bc4f6bb46c1951a41432ecbad4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\25kxaxiv\25kxaxiv.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35A6.tmp" "c:\Users\Admin\AppData\Local\Temp\25kxaxiv\CSC6D712EEBFCCA468AA0BE39C1F378E62.TMP"
    3⤵
    PID:4776
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Adds Run key to start application
  PID:4192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 756
    3⤵
    - Program crash
    PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4192 -ip 4192
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\25kxaxiv\25kxaxiv.dll

Filesize
12KB

MD5
902333a36c64c6e6294d107216497a29

SHA1
6399b6d71462b6ba01eaac1ade3d37a95ff9337f

SHA256
c9db15ada8924161ab4826f3ec67a821312a998ec60ab9f600a76612a2c94847

SHA512
b8b64f2e6f5fd4523cb47d1a0baaadbfa02331c47d7a6b72c94ecf849c6822c222078ff0a6ae73614a1f52a47e668b933155af89f0c8780e28ca7e97051faf20

Download Submit
C:\Users\Admin\AppData\Local\Temp\25kxaxiv\25kxaxiv.pdb

Filesize
39KB

MD5
87d83587c3fc2195eb53923acd5cb319

SHA1
04d4f48eb8a73bd93836a2f7aa92388ad29b556c

SHA256
ca9881c01f860d160021195a7ae62453b9e4c7e73733fe099ff0435a8d4b22fb

SHA512
7b0b5b6f6779c5abe6a8a3b7f8aecec8215803bde3e8aedda383e7b7649f90d3c248a81310a2167fbd6a25831f2189f5773d22336ec6f9be35d5bf6d647dd825

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES35A6.tmp

Filesize
1KB

MD5
9468506ca78e728ef73c6f86324b3a36

SHA1
e3b16b56ea8cb462e895ea2bb88c3271b6b3833e

SHA256
3508556ac2caaa9b8bc1f77379eeb0a876fbf0cac52f5733815fdd0e600160cd

SHA512
bb354e9fc8c8e87be7164d1d934959b406ca198d9c24d5da5f9988d1b9b600ad4b85ae811253b1dd70b21724e74d018bdb509d9741176740986744336808e400

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\25kxaxiv\25kxaxiv.0.cs

Filesize
18KB

MD5
8181e2eb98c9b5c53accad15ad864bc2

SHA1
bdc95efd33d7e754f19b95255219b54845eb4733

SHA256
2b4634fe340e0bebb8139806d4c1845af849757634244389d79d6953d9603013

SHA512
60c5dc9a12d25f11a9c86f8a5ea83e2d59bd81f26b4f5e47fd7ebb37c2cb19d9cf2c419f6dd31099f88fc91205aa7f10d13e8762b096a5278204eeb00ff37f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\25kxaxiv\25kxaxiv.cmdline

Filesize
312B

MD5
31d88526520ca964fc8ceda8b8c54362

SHA1
2c1aa886a7a3f25dd9150f742ce8b3235b5bce82

SHA256
9fc866d16683aa5a1bbdefee6a46ace64606d3f92872cd958a1019007623dae1

SHA512
8cbeff97667ad6ce5dc773894aed97002f0cbf22c001f3765cbf1b22c7bd5852fcba8239e4d660aaf223042e069bd85101d90e5210cf6003c1237219d0d49f7d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\25kxaxiv\CSC6D712EEBFCCA468AA0BE39C1F378E62.TMP

Filesize
1KB

MD5
87921a1efd7ee53d5e828e3d29089c1a

SHA1
f5c69cc3a1242ab89c48b93dbb56972ca3d34a7a

SHA256
aed49a469aef82bb3e4cfa02a01a36389a607c4daf52ac3493c604570c83f505

SHA512
128b4b3de17026c086d7b0b96f236be495618bc052c0210556839b64382ac8502028183006fad393b2b3e095f261d76d21c5790468e3b0a2e537639dc16538b3

Download Submit
memory/1912-131-0x0000000000000000-mapping.dmp

Download
memory/4192-142-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4192-141-0x0000000000000000-mapping.dmp

Download
memory/4192-143-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4192-144-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4192-145-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4192-146-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/4776-134-0x0000000000000000-mapping.dmp

Download
memory/4828-139-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/4828-140-0x00000000057D0000-0x000000000586C000-memory.dmp

Filesize
624KB

Download
memory/4828-130-0x0000000000360000-0x000000000043A000-memory.dmp

Filesize
872KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads