webmonitor | 9f44d74b5fe2e6353074ba70ade88d1747f038ca9902be34cb2ca95eecafc760 | Triage

Submit
Reports

Overview

overview

Static

static

3

1157923e5c...18.exe

windows7-x64

7

1157923e5c...18.exe

windows10-2004-x64

Sharing

General

Target

1157923e5cd51d747faf266da4e22de5_JaffaCakes118
Size

621KB
Sample

240504-dsc1nsbg61
MD5

1157923e5cd51d747faf266da4e22de5
SHA1

fc2cd39cfae0b4f5ea343e6286e3e98147fac320
SHA256

9f44d74b5fe2e6353074ba70ade88d1747f038ca9902be34cb2ca95eecafc760
SHA512

668e34d0dd732915573e99cae4fb5b7de590f89824fc1142ae3b5fd737af0489be5f69ca9121f8e80f2cb380795ca95addb582ef22a214942f0cc74e1f892a1f
SSDEEP

12288:ACL1cBficFlfKUMXSxY8L/RMkH6d2c60NPgMS6gl0tfqdlW3fp+4V1H/eu1D1S3L:TRchPoU/M2USQYs

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe

Resource

win7-20240221-en

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

1157923e5cd51d747faf266da4e22de5_JaffaCakes118.exe

Resource

win10v2004-20240419-en

webmonitor backdoor infostealer persistence rat upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

webmonitor

C2

perlhabour.wm01.to:443

Attributes

config_key
XNmE4WPjibOWPGiI4YZB52MvfFKluIbw
private_key
RpKoGNosA
url_path
/recv4.php

Targets

- Target
  
  1157923e5cd51d747faf266da4e22de5_JaffaCakes118
- Size
  
  621KB
- MD5
  
  1157923e5cd51d747faf266da4e22de5
- SHA1
  
  fc2cd39cfae0b4f5ea343e6286e3e98147fac320
- SHA256
  
  9f44d74b5fe2e6353074ba70ade88d1747f038ca9902be34cb2ca95eecafc760
- SHA512
  
  668e34d0dd732915573e99cae4fb5b7de590f89824fc1142ae3b5fd737af0489be5f69ca9121f8e80f2cb380795ca95addb582ef22a214942f0cc74e1f892a1f
- SSDEEP
  
  12288:ACL1cBficFlfKUMXSxY8L/RMkH6d2c60NPgMS6gl0tfqdlW3fp+4V1H/eu1D1S3L:TRchPoU/M2USQYs
Score

10^/10

webmonitor backdoor infostealer persistence rat upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

webmonitorbackdoorinfostealerpersistenceratupx

© 2018-2024

Terms | Privacy