webmonitor | 0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06 | Triage

Submit
Reports

Overview

overview

Static

static

3

b26c6f36a8...18.exe

windows7-x64

7

b26c6f36a8...18.exe

windows10-2004-x64

Sharing

General

Target

b26c6f36a8711168dc8d2882a6cab0c2_JaffaCakes118
Size

586KB
Sample

240616-jm38kavgjh
MD5

b26c6f36a8711168dc8d2882a6cab0c2
SHA1

e133a7dad21664672df96f0e6c956effe2ac7350
SHA256

0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
SHA512

f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
SSDEEP

12288:ZjY1mBgD6V65x0RfcbA+y2EoekTDWXDe12aU6uW:ZjY1mNV65x0ZoAR2XNfWXi12ag

Score

10^/10

webmonitor backdoor infostealer persistence rat upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

b26c6f36a8711168dc8d2882a6cab0c2_JaffaCakes118.exe

Resource

win7-20240508-en

persistence upx

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

b26c6f36a8711168dc8d2882a6cab0c2_JaffaCakes118.exe

Resource

win10v2004-20240611-en

webmonitor backdoor infostealer persistence rat upx

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

webmonitor

C2

holmes101.wm01.to:443

Attributes

config_key
XKulJBlUogMPPhL5GnUay2DqaaoA6mr7
private_key
rwh8ivgQh
url_path
/recv4.php

Targets

- Target
  
  b26c6f36a8711168dc8d2882a6cab0c2_JaffaCakes118
- Size
  
  586KB
- MD5
  
  b26c6f36a8711168dc8d2882a6cab0c2
- SHA1
  
  e133a7dad21664672df96f0e6c956effe2ac7350
- SHA256
  
  0f6c9c6fbd87f9ee7bb66f6d9302f0334c3b16a2a4c2482d3db0ff117fcb1e06
- SHA512
  
  f865d9cd05796cd4dfb69e1a9748b14c9d3ca49d29f5dee1bc8df367dc9f141ac1208a13a986f18963df2b70ff56aa76e7f2b0c7d9e2199ee472e24a24934910
- SSDEEP
  
  12288:ZjY1mBgD6V65x0RfcbA+y2EoekTDWXDe12aU6uW:ZjY1mNV65x0ZoAR2XNfWXi12ag
Score

10^/10

persistence upx webmonitor backdoor infostealer rat
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

webmonitorbackdoorinfostealerpersistenceratupx

© 2018-2024

Terms | Privacy