Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 02:25
Behavioral task
behavioral1
Sample
ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exe
Resource
win10v2004-20220721-en
General
-
Target
ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exe
-
Size
365KB
-
MD5
af76619743662c5e9ccfaa1f940b8354
-
SHA1
bf8e2c7b4a84ca177d7ae9c4ba6155d2dbc74b38
-
SHA256
ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b
-
SHA512
be9eaaadc9cf5509e301c9908e555b2ac0dbf984aede52545a78b98ce459f222050e1d0fc01aa4afdca275d921f79c972b325de55a9d91285c1298e6b5291373
Malware Config
Extracted
webmonitor
primeservers1.wm01.to:443
-
config_key
AP8PrfNym8htAX0Za6LL12tdOuH5BSPp
-
private_key
U6yRoBXHU
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/288-55-0x0000000000400000-0x00000000004F6000-memory.dmp family_webmonitor behavioral1/memory/288-56-0x0000000002CF0000-0x0000000003CF0000-memory.dmp family_webmonitor behavioral1/memory/288-57-0x0000000000400000-0x00000000004F6000-memory.dmp family_webmonitor -
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
-
Processes:
resource yara_rule behavioral1/memory/288-55-0x0000000000400000-0x00000000004F6000-memory.dmp upx behavioral1/memory/288-56-0x0000000002CF0000-0x0000000003CF0000-memory.dmp upx behavioral1/memory/288-57-0x0000000000400000-0x00000000004F6000-memory.dmp upx -
Unexpected DNS network traffic destination 8 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.243.215.214 Destination IP 185.243.215.214 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 114.114.114.114 Destination IP 185.243.215.214 Destination IP 185.243.215.214 Destination IP 114.114.114.114 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exedescription pid process Token: SeShutdownPrivilege 288 ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/288-54-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/288-55-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/288-56-0x0000000002CF0000-0x0000000003CF0000-memory.dmpFilesize
16.0MB
-
memory/288-57-0x0000000000400000-0x00000000004F6000-memory.dmpFilesize
984KB
-
memory/288-58-0x0000000002CF0000-0x0000000003CF0000-memory.dmpFilesize
16.0MB