MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevCodeRAT

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf
SHA3-384 hash:	677e364fae4c6b0219e6190838271bca2de0e05d86890785151961f040d73b8fdae74bf62fa81254806672cbbe1837a3
SHA1 hash:	4624958cd8a724ad01868331d9a78a64fb0cdcb0
MD5 hash:	bcb77b64ef4a369f8b381aff4c6f1c57
humanhash:	march-fifteen-romeo-mars
File name:	NEW PURCHASE ORDER.exe
Download:	download sample
Signature	RevCodeRAT Create hunting rule
File size:	1'006'049 bytes
First seen:	2021-08-12 05:42:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	48cf05311e4a3e8be7b754cbebbc2209 (5 x Loki, 2 x Formbook, 1 x a310Logger)
ssdeep	24576:kkirwmPnCRldoDbhC8xyhFOKOl0TWfNBBx6xs30LM:kxrwmPnCS/TxAFOX+TYwxk0LM
Threatray	76 similar samples on MalwareBazaar
TLSH	T1FC25129C07A2CB4AE0830F75DC8385F0FA5B5E14A6D7D18785D1AA8915BCB2EE7214CE
Reporter	cocaman
Tags:	exe RAT RevCodeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

po.exe

Verdict:

Malicious activity

Analysis date:

2021-08-11 08:39:16 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8522b7c7-d2a7-4786-ad4c-bc0eb750b22d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RevCodeRAT

Link:

https://www.capesandbox.com/analysis/178442/

Detection(s):

PUA.Win.Packer.NspackDotnetNor-2

PUA.Win.Packer.NspackDotnetNor-1

SecuriteInfo.com.Trojan.Siggen14.59710.3970.21343.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

DNS request

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/acb634ef-b2af-4b09-844d-419eddbabf05

Result

Threat name:

WebMonitor RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/831429

Signature

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Creates autostart registry keys with suspicious names

Detected unpacking (changes PE section rights)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected WebMonitor RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2021-08-11 02:46:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 46 (56.52%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cqwpp4a767ez3jpbmgldexr7uotnqz77bzigs3lspsjgs25jpthq._file

Verdict:

malicious

RevCodeRAT

3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f

RevCodeRAT

44e0cbb71f45ffa77eecd718ba1bba3362da2b7d1ef260474a39d143acd65260

RevCodeRAT

7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a

RevCodeRAT

77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210

RevCodeRAT

968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413

RevCodeRAT

d4511fa399217b186b74d425d5a0857ae7fe394c9993d76f79beccf2ecea92e2

RevCodeRAT

+ 66 additional samples on MalwareBazaar

Result

Malware family:

webmonitor

Score:

10/10

Tags:

family:webmonitor backdoor infostealer persistence rat suricata

Link:

https://tria.ge/reports/210812-tag7j4f6s6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

RevcodeRat, WebMonitorRat

WebMonitor Payload

suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup

Unpacked files

SH256 hash:

21a607cb6fa10b1e194144d51ef4cdd2ad2dd1e17a0cbf536f3e04857d61c4c3

MD5 hash:

f9d41d7affd745667246b3f9c82f3e61

SHA1 hash:

44cc71f1e33ce4211daba4a40bfebe413118f2da

Detections:

win_webmonitor_w0

Link:

https://www.unpac.me/results/d89720f5-49ee-4a26-826f-426d778c94f5/

SH256 hash:

142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf

MD5 hash:

bcb77b64ef4a369f8b381aff4c6f1c57

SHA1 hash:

4624958cd8a724ad01868331d9a78a64fb0cdcb0

Link:

https://www.unpac.me/results/d89720f5-49ee-4a26-826f-426d778c94f5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevCodeRAT

uue f85ef46438b8f65621b8ffeee02aaa1dd95b00e04a370f12977f52051749102d

RevCodeRAT

exe 142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf

(this sample)

Delivery method

Other

Dropped by

SHA256 f85ef46438b8f65621b8ffeee02aaa1dd95b00e04a370f12977f52051749102d

Cape

https://www.capesandbox.com/analysis/178442/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample