webmonitor | d482d7e39076ad62091622475baa816ca68e88f144253e42a9cdf42fe6473fa5

General

Target

4c48175a44d89ef8d6c92b8473eba6a6_JaffaCakes118
Size

5.2MB
Sample

240516-v9jcfsga4t
MD5

4c48175a44d89ef8d6c92b8473eba6a6
SHA1

de0541f008f9e606f799069d90d9f3ebd9d1a70d
SHA256

d482d7e39076ad62091622475baa816ca68e88f144253e42a9cdf42fe6473fa5
SHA512

ecf4d3cc409654e17c9d1d4c142ce14ee52630a7715663049899e37a6528c65294e5df41bd3d567d8e4887375a700ca3916469a38ffe85dfada03cffac878d7e
SSDEEP

98304:RK6MK+15ZA/wFkzThIeqpxRpJHXOAd2QNXZTIpKskI5XzCh6XcY2R9tR:RK6yZhkhI7pJH+MRhIgsJGh6XWRTR

Score

10^/10

Malware Config

Extracted

Family

webmonitor

C2

kamilw1337.wm01.to:443

Attributes

config_key
a72oDI537AbYRjeItTOo34O25nOyaPFK
private_key
MqUzv9esY
url_path
/recv5.php

Targets

- Target
  
  Extreme Injector v3.7.exe
- Size
  
  365KB
- MD5
  
  1250fbb9be09180d07d87d1abdc2b349
- SHA1
  
  c58da16d2e16955498b083bf5d5a55a4cccf32fe
- SHA256
  
  8979b90d56e060696bcd2f0e36f2c0a10c7ccab4114bfce1bb278bf25ecc2946
- SHA512
  
  ffe323afa8b5ae6d574dff789dd2b42d0ce80581e47648425fc3b57873092f2ee38dcdb17e45e601803ffd4c806f38fcfaf5d785bbb8a1657f71fde980dcedb1
- SSDEEP
  
  6144:cxLA03giVtLfLzHbklDubM1oFRgfHaSjcVfUpJqTyZp0KfgxcFmQoZgfHlgASbyz:cxLA4tLf37ktu2qg/aSjosL4Kfgo5oZ2
Score

10^/10

webmonitor backdoor infostealer persistence rat upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Extreme Injector v3.exe
- Size
  
  1.9MB
- MD5
  
  ec801a7d4b72a288ec6c207bb9ff0131
- SHA1
  
  32eec2ae1f9e201516fa7fcdc16c4928f7997561
- SHA256
  
  b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46
- SHA512
  
  a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac
- SSDEEP
  
  49152:NNEVtO1U1y1DDDDDD7Llngq7NNMqU0p2Vhk9a:NNEVJyZlng4p2V
Score

6^/10
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4
- Target
  
  xyoungsokin.dll
- Size
  
  5.8MB
- MD5
  
  e487e4dcb8fb3cafad7cd4e38d95ff25
- SHA1
  
  c4fc0e7b24fe70a9b90812bb8ca8b642b717f0b2
- SHA256
  
  7808e7aeda869ae43b63b897a1af451a45fb50ed9e28e43d3db33a49b8352da8
- SHA512
  
  ba2a8fdd720a6f377658f0073f12e26527a18bf4496f2de7cbc64ed232ffa55a98067e501ca3237ac96e79fdac2892403386b415783d50367955cad5b85ae744
- SSDEEP
  
  98304:4m4Y8mQ9tVQ+Pblvbby2rWFcr9E8DzsjPygCbEXsXhbWkfszn5N:sY8Pt6CBzwFG8jPnCbQspIznz
Score

1^/10
behavioral5 behavioral6