webmonitor | 55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5

General

Target

55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe
Size

612KB
MD5

6089a3255851bc09825c01e73d2e0b52
SHA1

720694441f23f83b954db816a83909784272d68c
SHA256

55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5
SHA512

9c550c659dee8659fa3e695aab1e392b0e5e4e2a9d424e3c795e27d24b6c294a6800a9516d92445d7061a9a79e24f8056fc2103d4b1abf744e9cae8de9dc0b03

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 3 IoCs

resource	yara_rule
behavioral1/memory/1728-77-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/1728-78-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/1728-79-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1856-67-0x0000000000BE0000-0x0000000000CC9000-memory.dmp	upx
behavioral1/memory/1728-69-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1728-71-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1728-72-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1728-74-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1728-76-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1728-77-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1728-78-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/1728-79-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNHnZP.url	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	77.88.8.8
Destination IP	89.233.43.71
Destination IP	1.2.4.8
Destination IP	101.226.4.6
Destination IP	123.125.81.6
Destination IP	139.175.55.244
Destination IP	180.76.76.76
Destination IP	91.239.100.100
Destination IP	114.114.114.114

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe
1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2000	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	26
PID 1856 wrote to memory of 2000	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	26
PID 1856 wrote to memory of 2000	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	26
PID 1856 wrote to memory of 2000	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	26
PID 2000 wrote to memory of 2028	2000	csc.exe	28
PID 2000 wrote to memory of 2028	2000	csc.exe	28
PID 2000 wrote to memory of 2028	2000	csc.exe	28
PID 2000 wrote to memory of 2028	2000	csc.exe	28
PID 1856 wrote to memory of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29
PID 1856 wrote to memory of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29
PID 1856 wrote to memory of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29
PID 1856 wrote to memory of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29
PID 1856 wrote to memory of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29
PID 1856 wrote to memory of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29
PID 1856 wrote to memory of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29
PID 1856 wrote to memory of 1728	1856	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	29

C:\Users\Admin\AppData\Local\Temp\55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe
"C:\Users\Admin\AppData\Local\Temp\55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tvusedb0\tvusedb0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES536E.tmp" "c:\Users\Admin\AppData\Local\Temp\tvusedb0\CSC8AB08B95EEED47549ECFD46AF557353A.TMP"
    3⤵
    PID:2028
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES536E.tmp

Filesize
1KB

MD5
8fa0261d1d3291236c2702d733b23457

SHA1
258c96a72d6e70960ec30123da4f05224b63e738

SHA256
014229fdab6e6d9e93b2688ebee59089bca96aedc2a085f3b58eef764e79c8db

SHA512
7b7e8561aa76fb2bbc4b5cdc1280cd2ada5fa59fdf6f85366537d077d1f0aae4ca0f5490872473c58050d2fb134fcc3aef9366c7154b655225c74d30ef419cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvusedb0\tvusedb0.dll

Filesize
6KB

MD5
7950b2509d6572c3165b655091003823

SHA1
b09de4e978ceaccfcce8de043696b1b7bdd43742

SHA256
0c04086bcb76dd8061dd2fd0595c649198d6d0c2c1e5583789f796f439dccfb4

SHA512
d2e9291de1b3c153387e5b6677592148ea3b960fa877be7846ba1014e5a2e51d4c344bff6e93237801e30aa643a6fbcfb46f2c80b7de9c02d8f87f67397e71f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvusedb0\tvusedb0.pdb

Filesize
15KB

MD5
b2a63e84a5199ecbf9112f92d08092ef

SHA1
66d79741b9be38393cdc7d5524a8c77b3b689aa0

SHA256
4c5dbe823a4b494512868814b5829138ee826c1e4cb7c9c74cba1fc6884b4717

SHA512
78e569c6d6297b91f9a7568c2b4f519b19513e2e3c19c52881a909ebe4ec3aa2fb0b94eb39b832f6665a35314dda2a81729c60e79bd49f1f2682abdc83b1f80f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvusedb0\CSC8AB08B95EEED47549ECFD46AF557353A.TMP

Filesize
1KB

MD5
5c1f9d0be89ca85a8cdc1014a2791bd3

SHA1
d81404c22e3e639fd71bd0dea8cd5286ad6bb9b1

SHA256
e94203eb2ef234a449c21867d7fbb569dd7340e2685b6a9399c896c37b8ede57

SHA512
934541c0be86a17a0c04a7ffe11814b08aa302bab015f104991875131149ec0b293a8367a2ebf64b0821622b3daccac1361436719ccf7e3a6a374ecf7c7ec959

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvusedb0\tvusedb0.0.cs

Filesize
2KB

MD5
f9a9022ca3a996a6d31fe4ca4f72c454

SHA1
c418512b8bfb0be563565f7afdbade30f0c83322

SHA256
a374f1776f0337d991055993d52b443d9c4317738e183522e1d51178c2fc49f1

SHA512
4284862f17265d1e7c67d9758e86da100be9f08df195bd57c5c27f95eef1d9a2094ffca665db6a452ca72b49c141d9d6a2936a1425dd7f8b2736b3f633f781e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tvusedb0\tvusedb0.cmdline

Filesize
312B

MD5
52785243a4bff2bc8764b59351811508

SHA1
f136a4bdc0eeecff6ddc88bf20cced9f51ba0002

SHA256
6ea9b11e0239cf8db426f29118d98b42ed17842f99fb389723914372e8a0573c

SHA512
2cf1beac01858d72dcddec460b63b54693655f2ddf4ab1ebb92901a61936772d17789582faa7b249aa5c369455fbe562fc99e873cbb17c9e0446660a81166dd9

Download Submit
memory/1728-74-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1728-79-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1728-78-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1728-77-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1728-76-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1728-72-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1728-71-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1728-68-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1728-69-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1856-67-0x0000000000BE0000-0x0000000000CC9000-memory.dmp

Filesize
932KB

Download
memory/1856-66-0x00000000761D1000-0x00000000761D3000-memory.dmp

Filesize
8KB

Download
memory/1856-54-0x00000000001B0000-0x0000000000250000-memory.dmp

Filesize
640KB

Download
memory/1856-65-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1856-64-0x0000000004D80000-0x0000000004DE8000-memory.dmp

Filesize
416KB

Download
memory/1856-63-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing