General

  • Target

    97f7b44b25caa09ab9a31dcc3b998552

  • Size

    1.2MB

  • Sample

    240213-adx6hseg4s

  • MD5

    97f7b44b25caa09ab9a31dcc3b998552

  • SHA1

    8be55bee43db8fff7b7cca8fe501934d7762e451

  • SHA256

    58949b34eb0f77b45800e72a3ef31e9ae61725a4fc8208f5a718918094758485

  • SHA512

    5197be881513a9fea82bb26127a97221b7a5e3a8ad4b1be306255d5f8ad902e325ac8a5c99170d778659d3ff951ed5a60e96460a24ff61f6ff6f0c9f0fd9b284

  • SSDEEP

    24576:/4aVhAbhPvp9b5f1fPhFsO6Nc9hRnOn5JMtuGr7GMoAxsfW9UBU:/ZAlPvjzPbsO6+9hRnOrMtu67aY6U

Malware Config

Extracted

Family

webmonitor

C2

niiarmah.wm01.to:443

Attributes
  • config_key

    4EcDHH7aWbl50LayUnuRlJWUXiKQWk0O

  • private_key

    yvkn5wM8E

  • url_path

    /recv5.php

Targets

    • Target

      HSBC_PAYMENT_COPY.pdf.exe

    • Size

      1.4MB

    • MD5

      08f2609e7f7daf0f78032f773a68b72c

    • SHA1

      f00e4c61cce15ee5f43c032d8d595aba65fbdc86

    • SHA256

      0ed8f93b98f9cfff89559df9e0a8d360cab3dde1abfa2992216b4a98c5ca1253

    • SHA512

      8c1ba503d2956ad0c60b11547908b81e601a3bfb2c75ae73c03718bd883ff94451b0697f915049614470d59388d161c02893ad90b48466f77fc154a20215da74

    • SSDEEP

      24576:abOd/OsBgo0q4wMf/5vUQgxZGCc+b8QHsDpXgbkyh1Sl+inzQSjzVrV9ZtXCU8jt:abOsoHMXpUnxZGClb8QGryPSEY79/CUw

    • RevcodeRat, WebMonitorRat

      WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    • WebMonitor payload

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks