webmonitor | ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8 | Triage

Submit
Reports

Overview

overview

Static

static

3

8a53427e1c...18.exe

windows7-x64

8a53427e1c...18.exe

windows10-2004-x64

Sharing

General

Target

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118
Size

789KB
Sample

240601-nh59ksba9v
MD5

8a53427e1c76b904ef0daacf7c8a6ec1
SHA1

92b2b17c7210a720e03aa0b7aada1dd4eefb48bb
SHA256

ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8
SHA512

d7d8871894114639891c0bfdcbb1ba1b008ab484bb70f825a355c0858d1615b15d801af6ee91304bc488fe5ac6ed3dcc6161b3bbd7f7589d25bff3e7c86a827d
SSDEEP

12288:tK65z6saNnviEP5R5LlM0uVLseXcCwjHxQWJm9Hjc3w/:tKsaNiWBwNseXcCUHOAm9H//

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe

Resource

win7-20240215-en

webmonitor backdoor infostealer persistence rat upx

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118.exe

Resource

win10v2004-20240508-en

webmonitor backdoor infostealer persistence rat upx

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Family

webmonitor

C2

barclaysb.wm01.to:443

Attributes

config_key
fYgCWawbOgdOjCoFIS3awApyXAxlbcZP
private_key
gbGrRRJty
url_path
/recv5.php

Targets

- Target
  
  8a53427e1c76b904ef0daacf7c8a6ec1_JaffaCakes118
- Size
  
  789KB
- MD5
  
  8a53427e1c76b904ef0daacf7c8a6ec1
- SHA1
  
  92b2b17c7210a720e03aa0b7aada1dd4eefb48bb
- SHA256
  
  ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8
- SHA512
  
  d7d8871894114639891c0bfdcbb1ba1b008ab484bb70f825a355c0858d1615b15d801af6ee91304bc488fe5ac6ed3dcc6161b3bbd7f7589d25bff3e7c86a827d
- SSDEEP
  
  12288:tK65z6saNnviEP5R5LlM0uVLseXcCwjHxQWJm9Hjc3w/:tKsaNiWBwNseXcCUHOAm9H//
Score

10^/10

webmonitor backdoor infostealer persistence rat upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

webmonitorbackdoorinfostealerpersistenceratupx

behavioral2

webmonitorbackdoorinfostealerpersistenceratupx

© 2018-2024

Terms | Privacy