webmonitor | 55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5

General

Target

55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe
Size

612KB
MD5

6089a3255851bc09825c01e73d2e0b52
SHA1

720694441f23f83b954db816a83909784272d68c
SHA256

55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5
SHA512

9c550c659dee8659fa3e695aab1e392b0e5e4e2a9d424e3c795e27d24b6c294a6800a9516d92445d7061a9a79e24f8056fc2103d4b1abf744e9cae8de9dc0b03

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 2 IoCs

resource	yara_rule
behavioral2/memory/3428-150-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral2/memory/3428-151-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3428-147-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3428-148-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3428-149-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3428-150-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral2/memory/3428-151-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNHnZP.url	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe

Unexpected DNS network traffic destination 43 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	139.175.55.244
Destination IP	180.76.76.76
Destination IP	180.76.76.76
Destination IP	91.239.100.100
Destination IP	77.88.8.8
Destination IP	89.233.43.71
Destination IP	101.226.4.6
Destination IP	114.114.114.114
Destination IP	180.76.76.76
Destination IP	139.175.55.244
Destination IP	139.175.55.244
Destination IP	123.125.81.6
Destination IP	89.233.43.71
Destination IP	180.76.76.76
Destination IP	101.226.4.6
Destination IP	123.125.81.6
Destination IP	91.239.100.100
Destination IP	77.88.8.8
Destination IP	101.226.4.6
Destination IP	91.239.100.100
Destination IP	89.233.43.71
Destination IP	114.114.114.114
Destination IP	89.233.43.71
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	77.88.8.8
Destination IP	114.114.114.114
Destination IP	101.226.4.6
Destination IP	139.175.55.244
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	180.76.76.76
Destination IP	123.125.81.6
Destination IP	123.125.81.6
Destination IP	91.239.100.100
Destination IP	123.125.81.6
Destination IP	101.226.4.6
Destination IP	77.88.8.8
Destination IP	1.2.4.8
Destination IP	77.88.8.8
Destination IP	1.2.4.8
Destination IP	139.175.55.244
Destination IP	1.2.4.8

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 3428	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	82

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe
2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 3192	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	79
PID 2996 wrote to memory of 3192	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	79
PID 2996 wrote to memory of 3192	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	79
PID 3192 wrote to memory of 1716	3192	csc.exe	81
PID 3192 wrote to memory of 1716	3192	csc.exe	81
PID 3192 wrote to memory of 1716	3192	csc.exe	81
PID 2996 wrote to memory of 3428	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	82
PID 2996 wrote to memory of 3428	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	82
PID 2996 wrote to memory of 3428	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	82
PID 2996 wrote to memory of 3428	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	82
PID 2996 wrote to memory of 3428	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	82
PID 2996 wrote to memory of 3428	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	82
PID 2996 wrote to memory of 3428	2996	55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe	82

C:\Users\Admin\AppData\Local\Temp\55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe
"C:\Users\Admin\AppData\Local\Temp\55c4eee443193174b9784c4e5d78773e45f4e927e4840f3439d366b5fbc0feb5.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC786.tmp" "c:\Users\Admin\AppData\Local\Temp\jo0jdboe\CSCF58DE701E1244499804953C2445928C9.TMP"
    3⤵
    PID:1716
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:3428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC786.tmp

Filesize
1KB

MD5
b3548911813ec6ffc433bce5ec814766

SHA1
0ad8dbeff045e4fbedc531c073f9119eda8c1e76

SHA256
1cd9784d6849ab56db38070b2ed4e575de7811a4266958b8b0ef46659254a974

SHA512
27b091eb6c2c6e503f9a806c146c0c9ae8c9bf4f392d17179d7cbdd40d36cfa60c3946df8af4f467517d4fd2d2629a121f53361414dc555a8ac0fcf6011d18fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.dll

Filesize
6KB

MD5
407993e6195e5a90a42c1a51d513f244

SHA1
6d62a256404e5e9bbe70d6de1e39e788dbc0f6cd

SHA256
17626b513e8c3bddf1a054f689270cc8836d55b32acf70038a3f90a316c6db6c

SHA512
f1798763511d26f8a931ac14c339dd2c1f603ade55bfc9eda7821b3e41f81c92eedd55f5e8ebb46742c8e762c32cebbf46065b342217155b2e3a00f730c992b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.pdb

Filesize
15KB

MD5
1b24e33a8c7ca98b3ab2498867f781af

SHA1
b301f2696bd998da42cce8e119ab95b8d2112a86

SHA256
ff1a022901b0dfa400c836770afbc7c93067044da7eb40f5fc0357f4889ccbc6

SHA512
173a47b48cf2ee755419abe37fe442f73d7920b94f841fa01b8cc1cd9e51a474f9d8aed76440816f016f1baab770710ee42ec5b6f62443c13af86ab917df0bcb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jo0jdboe\CSCF58DE701E1244499804953C2445928C9.TMP

Filesize
1KB

MD5
d9d9437bbd14abbf439a87bec1132d2a

SHA1
ea45c42d6a602716fda66f7f2f596ac46de0613d

SHA256
57aef5de77700fe46e4b105b01632e1aaf45cff1ef15a9883069e88da75e8517

SHA512
d79c36c7203a057c5c1a63073fa7c858933fd025f4fc6cd2c7a4d1eb09214d3543f11e965aab56d585043e4ab7741bb456d9852810e4cc93b0ffee89389e27e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.0.cs

Filesize
2KB

MD5
f9a9022ca3a996a6d31fe4ca4f72c454

SHA1
c418512b8bfb0be563565f7afdbade30f0c83322

SHA256
a374f1776f0337d991055993d52b443d9c4317738e183522e1d51178c2fc49f1

SHA512
4284862f17265d1e7c67d9758e86da100be9f08df195bd57c5c27f95eef1d9a2094ffca665db6a452ca72b49c141d9d6a2936a1425dd7f8b2736b3f633f781e7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jo0jdboe\jo0jdboe.cmdline

Filesize
312B

MD5
9f186aec66e9ba3a554e52556006e771

SHA1
989d27fba79556de321a63f245ad8032fabbb0c8

SHA256
d35e548c1f7220cc3cce27078096428aea2cc2e13585959b34a8ca5e1ff875d1

SHA512
274b4628ab041524c7aedc7b8bb5d19caf5d67b71fdb000a2aa83cefdee3198273957b49a38982f22e10023c367ca550ed003def9a07535544ba94882802caa0

Download Submit
memory/2996-135-0x0000000000FA0000-0x0000000001040000-memory.dmp

Filesize
640KB

Download
memory/2996-144-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/2996-145-0x0000000006260000-0x00000000062FC000-memory.dmp

Filesize
624KB

Download
memory/3428-147-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3428-148-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3428-149-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3428-150-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/3428-151-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download

Analysis

Sharing