Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
30-07-2022 22:20
Static task
static1
Behavioral task
behavioral1
Sample
61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe
Resource
win10v2004-20220722-en
General
-
Target
61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe
-
Size
892KB
-
MD5
14d8aab063f78a8c70801f240b8b7b42
-
SHA1
03fe13043ff7baa44f2ee25b9d973feffd461905
-
SHA256
61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701
-
SHA512
433e2215ae50e5b8bf45493295ad38c3df21bf7b88680903b22f93c6a0d4494f7957bc802886ec9f1389f22ad8dec06608cde10946aafde88705ae8a5057d3ea
Malware Config
Extracted
webmonitor
blazenowen.wm01.to:443
-
config_key
EGm5jUWfcr82Lzdv9JfTfE11MdAbW1NV
-
private_key
eO2U1b402
-
url_path
/recv4.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 1 IoCs
resource yara_rule behavioral1/memory/1060-59-0x0000000000400000-0x00000000004E3000-memory.dmp family_webmonitor -
resource yara_rule behavioral1/memory/1060-57-0x0000000000400000-0x00000000004E3000-memory.dmp upx behavioral1/memory/1060-59-0x0000000000400000-0x00000000004E3000-memory.dmp upx -
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 185.243.215.214 Destination IP 1.2.4.8 Destination IP 185.243.215.214 Destination IP 185.243.215.214 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\RevCode-3033 = "C:\\Users\\Admin\\AppData\\Roaming\\RevCode-3033.exe" 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1656 set thread context of 1060 1656 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe 27 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1060 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1656 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1656 wrote to memory of 1060 1656 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe 27 PID 1656 wrote to memory of 1060 1656 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe 27 PID 1656 wrote to memory of 1060 1656 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe 27 PID 1656 wrote to memory of 1060 1656 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe 27 PID 1656 wrote to memory of 1060 1656 61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe"C:\Users\Admin\AppData\Local\Temp\61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe"C:\Users\Admin\AppData\Local\Temp\61107d11d3d22b6949203ea0e0be74aa4d5b0308455e9e3dcf87491ee2063701.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: RenamesItself
PID:1060
-