WebMonitor RAT (Malware Family)

WebMonitor RAT

aka: RevCode

VTCollection URLhaus

On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.'
Unit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.

References

2020-11-16 ⋅ Trend Micro ⋅ Trendmicro
Malicious Actors Target Comm Apps such as Zoom, Slack, Discord
WebMonitor RAT

2020-09-04 ⋅ KrabsOnSecurity ⋅ Mr. Krabs
BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked
BitRAT WebMonitor RAT

2020-02-04 ⋅ RevCode
RevCode RAT
WebMonitor RAT

2019-04-22 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Who’s Behind the RevCode WebMonitor RAT?
WebMonitor RAT

2018-04-13 ⋅ Palo Alto Networks Unit 42 ⋅ Mike Harbison, Simon Conant
Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)
WebMonitor RAT

Yara Rules

[TLP:WHITE] win_webmonitor_auto (20260504 | Detects win.webmonitor.)

rule win_webmonitor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.webmonitor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 000d???????? 04e4 fd 0468 ff05???????? 000d???????? 04b8 }
            // n = 7, score = 200
            //   000d????????         |                     
            //   04e4                 | add                 al, 0xe4
            //   fd                   | std                 
            //   0468                 | add                 al, 0x68
            //   ff05????????         |                     
            //   000d????????         |                     
            //   04b8                 | add                 al, 0xb8

        $sequence_1 = { 03c1 99 f7fb 47 }
            // n = 4, score = 200
            //   03c1                 | add                 eax, ecx
            //   99                   | cdq                 
            //   f7fb                 | idiv                ebx
            //   47                   | inc                 edi

        $sequence_2 = { ffe1 ba???????? b9???????? ffe1 ba???????? }
            // n = 5, score = 200
            //   ffe1                 | jmp                 ecx
            //   ba????????           |                     
            //   b9????????           |                     
            //   ffe1                 | jmp                 ecx
            //   ba????????           |                     

        $sequence_3 = { fe04e4 fd 04e0 fd ff01 04e0 fd }
            // n = 7, score = 200
            //   fe04e4               | inc                 byte ptr [esp]
            //   fd                   | std                 
            //   04e0                 | add                 al, 0xe0
            //   fd                   | std                 
            //   ff01                 | inc                 dword ptr [ecx]
            //   04e0                 | add                 al, 0xe0
            //   fd                   | std                 

        $sequence_4 = { 04c8 fe04ec fd 04e8 fd ff01 }
            // n = 6, score = 200
            //   04c8                 | add                 al, 0xc8
            //   fe04ec               | inc                 byte ptr [esp + ebp*8]
            //   fd                   | std                 
            //   04e8                 | add                 al, 0xe8
            //   fd                   | std                 
            //   ff01                 | inc                 dword ptr [ecx]

        $sequence_5 = { 0f5ac0 50 51 51 f20f110424 e8???????? d91b }
            // n = 7, score = 200
            //   0f5ac0               | cvtps2pd            xmm0, xmm0
            //   50                   | push                eax
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   f20f110424           | movsd               qword ptr [esp], xmm0
            //   e8????????           |                     
            //   d91b                 | fstp                dword ptr [ebx]

        $sequence_6 = { 0f434520 50 ff75c8 ff15???????? }
            // n = 4, score = 200
            //   0f434520             | cmovae              eax, dword ptr [ebp + 0x20]
            //   50                   | push                eax
            //   ff75c8               | push                dword ptr [ebp - 0x38]
            //   ff15????????         |                     

        $sequence_7 = { 0f437520 ff15???????? 8d044501000000 50 }
            // n = 4, score = 200
            //   0f437520             | cmovae              esi, dword ptr [ebp + 0x20]
            //   ff15????????         |                     
            //   8d044501000000       | lea                 eax, [eax*2 + 1]
            //   50                   | push                eax

        $sequence_8 = { 0fb6c0 d3e0 8b4de0 03c8 }
            // n = 4, score = 200
            //   0fb6c0               | movzx               eax, al
            //   d3e0                 | shl                 eax, cl
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   03c8                 | add                 ecx, eax

        $sequence_9 = { 2bf0 8bc1 99 83e203 03c2 c1f802 2bf8 }
            // n = 7, score = 200
            //   2bf0                 | sub                 esi, eax
            //   8bc1                 | mov                 eax, ecx
            //   99                   | cdq                 
            //   83e203               | and                 edx, 3
            //   03c2                 | add                 eax, edx
            //   c1f802               | sar                 eax, 2
            //   2bf8                 | sub                 edi, eax

        $sequence_10 = { 3001 a3???????? 30ff 9e 6c 68ff080800 }
            // n = 6, score = 200
            //   3001                 | xor                 byte ptr [ecx], al
            //   a3????????           |                     
            //   30ff                 | xor                 bh, bh
            //   9e                   | sahf                
            //   6c                   | insb                byte ptr es:[edi], dx
            //   68ff080800           | push                0x808ff

        $sequence_11 = { 9e 6c 68ff080800 8a3401 a3???????? 0800 8a30 }
            // n = 7, score = 200
            //   9e                   | sahf                
            //   6c                   | insb                byte ptr es:[edi], dx
            //   68ff080800           | push                0x808ff
            //   8a3401               | mov                 dh, byte ptr [ecx + eax]
            //   a3????????           |                     
            //   0800                 | or                  byte ptr [eax], al
            //   8a30                 | mov                 dh, byte ptr [eax]

        $sequence_12 = { 38644400 44 8a4100 047e }
            // n = 4, score = 200
            //   38644400             | cmp                 byte ptr [esp + eax*2], ah
            //   44                   | inc                 esp
            //   8a4100               | mov                 al, byte ptr [ecx]
            //   047e                 | add                 al, 0x7e

        $sequence_13 = { 00e8 17 42 0048a5 }
            // n = 4, score = 200
            //   00e8                 | add                 al, ch
            //   17                   | pop                 ss
            //   42                   | inc                 edx
            //   0048a5               | add                 byte ptr [eax - 0x5b], cl

        $sequence_14 = { 49 81c900ffffff 41 898f04040000 }
            // n = 4, score = 200
            //   49                   | dec                 ecx
            //   81c900ffffff         | or                  ecx, 0xffffff00
            //   41                   | inc                 ecx
            //   898f04040000         | mov                 dword ptr [edi + 0x404], ecx

        $sequence_15 = { 0f4305???????? 33c9 6800900100 668908 }
            // n = 4, score = 200
            //   0f4305????????       |                     
            //   33c9                 | xor                 ecx, ecx
            //   6800900100           | push                0x19000
            //   668908               | mov                 word ptr [eax], cx

    condition:
        7 of them and filesize < 1984512
}

[TLP:WHITE] win_webmonitor_w0 (20200304 | Revcode RAT)

rule win_webmonitor_w0 {
    meta:
        description = "Revcode RAT"
        author = "James_inthe_box"
        reference = "ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8"
        date = "2020/02"
        maltype = "RAT"
        source = "https://pastebin.com/M2k5Vg3c"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor"
        malpedia_version = "20200304"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""

    strings:
        $string1 = "SCREEN_STREAM_START"
        $string2 = "CLIPBOARD_SET"
        $string3 = "SERVICES_RESUME"
        $string4 = "KEYLOG:"
        $string5 = "WEBCAM_DRIVERS"
        $string6 = "image.bmp" wide
        $string7 = "APPACTIVATE" wide
 
    condition:
        all of ($string*)
}

Download all Yara Rules

WebMonitor RAT Propose Change

References

Yara Rules

WebMonitor RAT