webmonitor | 2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9 | Triage

Submit
Reports

Overview

overview

Static

static

2e084ca9b8...a9.exe

windows7-x64

2e084ca9b8...a9.exe

windows10-2004-x64

8

Sharing

General

Target

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9
Size

668KB
Sample

220725-ewav6aecd7
MD5

897f3c7d741c4d5c7fc96f322a6f5a6a
SHA1

9738e0d5982f1a2255d7a72dc580bc85c554569e
SHA256

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9
SHA512

30c433ff994848289cac9f500b7428b1bc06b119fb3260b0f48e5de0f2f841275ffbfab978d947b23f050acad647dd01925c33ddca9c2fa80cc9d9e50cb0c620

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Static task

static1

Behavioral task

behavioral1

Sample

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe

Resource

win7-20220715-en

webmonitor backdoor infostealer persistence rat upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9.exe

Resource

win10v2004-20220721-en

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Extracted

Family

webmonitor

C2

snowhair123.wm01.to:443

Attributes

config_key
kke8E3MMthAVUs3B5qBplqOYCdXuK3lS
private_key
DltfwOvgE
url_path
/recv4.php

Targets

- Target
  
  2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9
- Size
  
  668KB
- MD5
  
  897f3c7d741c4d5c7fc96f322a6f5a6a
- SHA1
  
  9738e0d5982f1a2255d7a72dc580bc85c554569e
- SHA256
  
  2e084ca9b86b432252097b8cbb9fb8b470cc1ca9d3eedb8e9033e2ff09d126a9
- SHA512
  
  30c433ff994848289cac9f500b7428b1bc06b119fb3260b0f48e5de0f2f841275ffbfab978d947b23f050acad647dd01925c33ddca9c2fa80cc9d9e50cb0c620
Score

10^/10

webmonitor backdoor infostealer persistence rat upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor payload
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

webmonitorbackdoorinfostealerpersistenceratupx

behavioral2

© 2018-2024

Terms | Privacy