webmonitor | 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2

General

Target

601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
Size

717KB
MD5

c00d1cf7fb01a9b33e438cd16b6eb578
SHA1

0d8c3833492d4106b7164d6ed9fa019838152832
SHA256

601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2
SHA512

2f5cac64da4edce25f0cffcc96fb1e500c0ee919ac0b7a466ddeab665ce6db1373a897fee492b36bed3b1a39be8b47af7676b2ef93f3b556b9794b2d78cac92a

Score

10^/10

webmonitor backdoor infostealer rat upx

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Signatures

RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/940-73-0x00000000004E70C0-mapping.dmp	family_webmonitor
behavioral1/memory/940-77-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/940-78-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor
behavioral1/memory/940-79-0x0000000000400000-0x00000000004E9000-memory.dmp	family_webmonitor

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2012-67-0x00000000007B0000-0x0000000000899000-memory.dmp	upx
behavioral1/memory/940-69-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/940-71-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/940-72-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/940-74-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/940-76-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/940-77-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/940-78-0x0000000000400000-0x00000000004E9000-memory.dmp	upx
behavioral1/memory/940-79-0x0000000000400000-0x00000000004E9000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NmNzcY.url	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	123.125.81.6
Destination IP	139.175.55.244
Destination IP	180.76.76.76
Destination IP	114.114.114.114
Destination IP	77.88.8.8
Destination IP	1.2.4.8
Destination IP	101.226.4.6

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

description pid process target process

PID 2012 set thread context of 940 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe vbc.exe

description	pid	process	target process
PID 2012 set thread context of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

pid	process
2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

description pid process

Token: SeDebugPrivilege 2012 601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

description	pid	process
Token: SeDebugPrivilege	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.execsc.exe

description	pid	process	target process
PID 2012 wrote to memory of 1624	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	csc.exe
PID 2012 wrote to memory of 1624	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	csc.exe
PID 2012 wrote to memory of 1624	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	csc.exe
PID 2012 wrote to memory of 1624	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	csc.exe
PID 1624 wrote to memory of 824	1624	csc.exe	cvtres.exe
PID 1624 wrote to memory of 824	1624	csc.exe	cvtres.exe
PID 1624 wrote to memory of 824	1624	csc.exe	cvtres.exe
PID 1624 wrote to memory of 824	1624	csc.exe	cvtres.exe
PID 2012 wrote to memory of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe
PID 2012 wrote to memory of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe
PID 2012 wrote to memory of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe
PID 2012 wrote to memory of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe
PID 2012 wrote to memory of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe
PID 2012 wrote to memory of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe
PID 2012 wrote to memory of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe
PID 2012 wrote to memory of 940	2012	601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe
"C:\Users\Admin\AppData\Local\Temp\601683bffc489875354dd4a6b03f824c940b139799d03aefd279643080fae5c2.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4kxcoa1m\4kxcoa1m.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1057.tmp" "c:\Users\Admin\AppData\Local\Temp\4kxcoa1m\CSC43642E1AD3DF4FFFAA7CD3A437B17641.TMP"
    3⤵
    PID:824
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4kxcoa1m\4kxcoa1m.dll

Filesize
12KB

MD5
60316435de25d783cf63a086aa2e5a2d

SHA1
b553ca91afaf4b390ffdd6b41b300d7dcc690439

SHA256
a098712f96214f4bd5a0e5b3e4f8d39aca39bf680b10da411ff31fc812d50d7d

SHA512
d376edc45ef2c7e2d2dcbce6b94f2dc8eb35aa61ecc59d895051956d15c03c32b35e069e3d59454d8b6a44a4af0e9e12d34cd34bd6c6e7b29dfc5abf6babb0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kxcoa1m\4kxcoa1m.pdb

Filesize
39KB

MD5
2818e56350474b910d689eb9223dc663

SHA1
6b39f71b1f05c122f48a2bcd36d933d8c3f5fc31

SHA256
d6608edcabf45c9e4cab50222a3b704c95c47ba5bd6c8abad1f7e85f10e9dc93

SHA512
0041f00f25f3a11439e00e0bece5b4788ca7dd0bf5bc79aae2a388e901d908bca4fb8ac8880de5b728ddea24bef2a9fc9ef8c1bae949c303972dd6ce2d25affb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1057.tmp

Filesize
1KB

MD5
6f70c560af90472d71785db37c506e0c

SHA1
a99b264bd9e1b3de22026bcd21a18391c91f7387

SHA256
838ae8d0e706e53d1cc58fad77d894e6bace849eb812ca4f421bc1ddb39cd9b5

SHA512
57261d8af2dda301ccffff13aa694904b06db1378df6e2a7416a74e03a9a4c04ff8b53c2cf1486db5e2fae791b007f965eec17709b4e42ab70af17da04afa4f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kxcoa1m\4kxcoa1m.0.cs

Filesize
18KB

MD5
ddee8a9d0b2713c2db01c69b0bbe7d67

SHA1
251ce52d5baf2daf14761bc6db5fa1bf2f8d6c76

SHA256
64fd87444ea983ea67fe83c9484ae9be84baba570e78137b884c37d50e758dc1

SHA512
45324925f6150a899b7deae8fff660e802e6f876872a869adf7fe52b17f654ba628ca5c2e611eaecd3b12f8659e0c26f57ba25080d691a1e0abb589234244ebf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kxcoa1m\4kxcoa1m.cmdline

Filesize
312B

MD5
70a12a146a4fd7b08431da280c9ba55c

SHA1
44d221ce3406dc2cd72ad8d7edbe81f2509a29d5

SHA256
a371a5766b1f327c7ecccbd7508fd075ee6ab229932e4ba9fcd53ef314616c01

SHA512
b61e8f71ebe2f9e41c8bce5404f8ddb4b3a56cb2e1b1b30fafd22155f721f7ba754e11613f835c86bc50c9e1e32975bcf403eb60be220210557acaecacf8aa8e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kxcoa1m\CSC43642E1AD3DF4FFFAA7CD3A437B17641.TMP

Filesize
1KB

MD5
a75c56843da455eb0c514ef4e1bdae55

SHA1
03a04a85aa26876570cc52e4fb33f2d97b76a8fa

SHA256
36c2c569eea1aa05194785d5aaeb8a16357840db97e2c79cbc45b162d59f7411

SHA512
42e8fdd048423f6862f77f4c849135ab75d39d4c95708f690308b2294e4e57942b5ffa5c7241b2b067f2bde3f3e15cebce793cd425c0a9f8b4f52d7caae3de20

Download Submit
memory/824-58-0x0000000000000000-mapping.dmp

Download
memory/940-74-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/940-76-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/940-79-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/940-78-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/940-77-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/940-73-0x00000000004E70C0-mapping.dmp

Download
memory/940-72-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/940-69-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/940-68-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/940-71-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/1624-55-0x0000000000000000-mapping.dmp

Download
memory/2012-67-0x00000000007B0000-0x0000000000899000-memory.dmp

Filesize
932KB

Download
memory/2012-54-0x0000000000270000-0x0000000000312000-memory.dmp

Filesize
648KB

Download
memory/2012-66-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/2012-65-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2012-64-0x0000000004780000-0x00000000047E8000-memory.dmp

Filesize
416KB

Download
memory/2012-63-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads