webmonitor | ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
25-07-2022 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exe
Size

365KB
MD5

af76619743662c5e9ccfaa1f940b8354
SHA1

bf8e2c7b4a84ca177d7ae9c4ba6155d2dbc74b38
SHA256

ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b
SHA512

be9eaaadc9cf5509e301c9908e555b2ac0dbf984aede52545a78b98ce459f222050e1d0fc01aa4afdca275d921f79c972b325de55a9d91285c1298e6b5291373

Score

10^/10

webmonitor backdoor infostealer rat suricata upx

Malware Config

Extracted

Family

webmonitor

primeservers1.wm01.to:443

Attributes

config_key
AP8PrfNym8htAX0Za6LL12tdOuH5BSPp
private_key
U6yRoBXHU
url_path
/recv5.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 3 IoCs

resource	yara_rule
behavioral1/memory/288-55-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor
behavioral1/memory/288-56-0x0000000002CF0000-0x0000000003CF0000-memory.dmp	family_webmonitor
behavioral1/memory/288-57-0x0000000000400000-0x00000000004F6000-memory.dmp	family_webmonitor

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
suricata

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/288-55-0x0000000000400000-0x00000000004F6000-memory.dmp	upx
behavioral1/memory/288-56-0x0000000002CF0000-0x0000000003CF0000-memory.dmp	upx
behavioral1/memory/288-57-0x0000000000400000-0x00000000004F6000-memory.dmp	upx

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	185.243.215.214
Destination IP	185.243.215.214
Destination IP	114.114.114.114

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	288	ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exe

C:\Users\Admin\AppData\Local\Temp\ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exe
"C:\Users\Admin\AppData\Local\Temp\ea419643de9a10a418292f1603f86bab0942f436af5e7a8309351ce552e68d2b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/288-55-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/288-56-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

Filesize
16.0MB

Download
memory/288-57-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/288-58-0x0000000002CF0000-0x0000000003CF0000-memory.dmp

Filesize
16.0MB

Download