Malware
WebbyTea
WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.
WebbyTea is a Windows malware family operated by Lazarus Group.
Background
WebbyTea is an HTTP(S) downloader that encrypts its C&C traffic with AES.
It transmits extensive details about the host environment, including proxy configuration, the system installation date, the Windows product name and version, manufacturer, product name, boot time, time zone, computer name, user name, the current time, and a list of running processes. Each message to the C&C server is built from the prefix "ci", a 16-character hexadecimal victim ID, and the encrypted system data. Once the payload is retrieved and successfully injected into a freshly spawned explorer.exe process, the malware replies using the same victim ID but with the prefix switched to "cs".
The native WebbyTea component typically carries the internal DLL name pe64.dll or webT64.dll, the latter giving the family its name. Its usual payload is SnatchCrypto.
Source: Malpedia (Fraunhofer FKIE).