WebbyTea
Intelligence Profile
WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.
It sends detailed information about the victim's environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix "ci", a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim's system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to "cs".
The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).
The usual payload associated with WebbyTea is SnatchCrypto.
Threat Analysis
WebbyTea is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.