webmonitor | 8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8

General

Target

cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118
Size

811KB
Sample

240831-1s2elaxeqa
MD5

cdab5970c5e3d12116faceea2b0b7ed9
SHA1

6b13121ed24e1952b8ceecab0a2cc95ed4182c41
SHA256

8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8
SHA512

21f0fa1eb0bdf5a200f2ecf9731f97f139884491f34f9088b3c54fbb529d7558763161e63ad19a50436479fbdcad49592455ef629fcb4f34b4a53e63a3c63a6b
SSDEEP

12288:54P00EVz7GYFuzIuZrpG0NHlq4duP2oWC8V1xEZyQeURSx8sWDF:54M0KPGYA8uZ40NFqL2oWNV1xyyhYs0

Score

10^/10

Malware Config

Extracted

Family

webmonitor

C2

arglobal.wm01.to:443

Attributes

config_key
ziKbg2IBpBxL34Yr4SWnQnV4SqpF6Yy4
private_key
X2HBeL4iM
url_path
/recv4.php

Targets

- Target
  
  cdab5970c5e3d12116faceea2b0b7ed9_JaffaCakes118
- Size
  
  811KB
- MD5
  
  cdab5970c5e3d12116faceea2b0b7ed9
- SHA1
  
  6b13121ed24e1952b8ceecab0a2cc95ed4182c41
- SHA256
  
  8a3c1ca12b7f67078c31a08b66d0c126d55177da3dc42cdf2f80a593ab9548d8
- SHA512
  
  21f0fa1eb0bdf5a200f2ecf9731f97f139884491f34f9088b3c54fbb529d7558763161e63ad19a50436479fbdcad49592455ef629fcb4f34b4a53e63a3c63a6b
- SSDEEP
  
  12288:54P00EVz7GYFuzIuZrpG0NHlq4duP2oWC8V1xEZyQeURSx8sWDF:54M0KPGYA8uZ40NFqL2oWNV1xyyhYs0
Score

10^/10

webmonitor backdoor discovery infostealer rat upx
- RevcodeRat, WebMonitorRat
  WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
  backdoor rat infostealer webmonitor
- WebMonitor payload
- Drops startup file
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

RevcodeRat, WebMonitorRat

WebMonitor payload

Drops startup file

UPX packed file

Unexpected DNS network traffic destination

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2