General

  • Target

    548439913e50f439d1e39f85392f6521c0e55f3e88045484dc16e2168bcc295b

  • Size

    1.1MB

  • Sample

    220725-xq1hqsfccl

  • MD5

    8674855d9363dedef8bba54a5b5a51d2

  • SHA1

    a8401eb792828f10dfdcae790acfe6412b469ca3

  • SHA256

    548439913e50f439d1e39f85392f6521c0e55f3e88045484dc16e2168bcc295b

  • SHA512

    3f6b47bee3e74733771d0e77b0480822913a64046677c1e1814e49654e7446a13c10997f02da83b894dcab182c96c2b680376a63d27609fd05308a18ded6eb79

Malware Config

Extracted

Family

webmonitor

C2

javalux.wm01.to:443

Attributes
  • config_key

    k3t7WlXfL0LMf0q4v4E3j6y2frxuYo9J

  • private_key

    t4Lfa76Ar

  • url_path

    /recv4.php

Targets

    • Target

      548439913e50f439d1e39f85392f6521c0e55f3e88045484dc16e2168bcc295b

    • Size

      1.1MB

    • MD5

      8674855d9363dedef8bba54a5b5a51d2

    • SHA1

      a8401eb792828f10dfdcae790acfe6412b469ca3

    • SHA256

      548439913e50f439d1e39f85392f6521c0e55f3e88045484dc16e2168bcc295b

    • SHA512

      3f6b47bee3e74733771d0e77b0480822913a64046677c1e1814e49654e7446a13c10997f02da83b894dcab182c96c2b680376a63d27609fd05308a18ded6eb79

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks