webmonitor | ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8 | Triage

Submit
Reports

Overview

overview

Static

static

3

8a53427e1c...18.exe

windows7-x64

8a53427e1c...18.exe

windows10-2004-x64

Sharing

General

Target

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118
Size

789KB
Sample

240601-nh59ksba9v
MD5

8a53427e1c76b904ef0daacf7c8a6ec1
SHA1

92b2b17c7210a720e03aa0b7aada1dd4eefb48bb
SHA256

ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8
SHA512

d7d8871894114639891c0bfdcbb1ba1b008ab484bb70f825a355c0858d1615b15d801af6ee91304bc488fe5ac6ed3dcc6161b3bbd7f7589d25bff3e7c86a827d
SSDEEP

12288:tK65z6saNnviEP5R5LlM0uVLseXcCwjHxQWJm9Hjc3w/:tKsaNiWBwNseXcCUHOAm9H//

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe

Resource

win7-20240215-en

webmonitor backdoor infostealer persistence rat upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe

Resource

win10v2004-20240508-en

webmonitor backdoor infostealer persistence rat upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

webmonitor

C2

barclaysb.wm01.to:443

Attributes

config_key
fYgCWawbOgdOjCoFIS3awApyXAxlbcZP
private_key
gbGrRRJty
url_path
/recv5.php

Targets

- Target
  
  8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118
- Size
  
  789KB
- MD5
  
  8a53427e1c76b904ef0daacf7c8a6ec1
- SHA1
  
  92b2b17c7210a720e03aa0b7aada1dd4eefb48bb
- SHA256
  
  ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8
- SHA512
  
  d7d8871894114639891c0bfdcbb1ba1b008ab484bb70f825a355c0858d1615b15d801af6ee91304bc488fe5ac6ed3dcc6161b3bbd7f7589d25bff3e7c86a827d
- SSDEEP
  
  12288:tK65z6saNnviEP5R5LlM0uVLseXcCwjHxQWJm9Hjc3w/:tKsaNiWBwNseXcCUHOAm9H//
Score

10^/10

webmonitor backdoor infostealer persistence rat upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

webmonitorbackdoorinfostealerpersistenceratupx

behavioral2

webmonitorbackdoorinfostealerpersistenceratupx

© 2018-2024

Terms | Privacy