MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevCodeRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02
SHA3-384 hash:	dc8319ffb2c80fcf7e7a8d1cab72ecbca580442a42c4ef87e0abc303157758fa5ef185981a7d933ea9fecd72917d53b2
SHA1 hash:	aa6ace276b374e41a5ec7ad7bd6cf09722756027
MD5 hash:	d168a301aeea42495bfa790ed012223b
humanhash:	oranges-earth-magnesium-cat
File name:	BANK DETAILS.pdf.exe
Download:	download sample
Signature	RevCodeRAT Create hunting rule
File size:	1'249'792 bytes
First seen:	2021-07-01 06:24:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	24576:XLhAQnmi61otMl+/x6b/xOzrVQ5fhT1i0X314gUJ5:XLh5nmLl+/x6b5crVQ1i0OgU
Threatray	58 similar samples on MalwareBazaar
TLSH	4245D0242AE88629F0BA9F7E95B4514547FDF723AF23C95C3DB411C90723A41CAF172A
Reporter	GovCERT_CH
Tags:	exe RevCodeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

128

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BANK DETAILS.pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-07-01 06:26:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ad3764d8-80ba-4e35-b045-96d98d5fa0c4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/169057/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.13402.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

njRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c7f7c300-24a4-41e3-b984-a456d4676cdf

Result

Threat name:

WebMonitor RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/810354

Signature

.NET source code contains very large strings

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Creates autostart registry keys with suspicious names

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Process Start Without DLL

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected WebMonitor RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-01 02:11:37 UTC

AV detection:

15 of 46 (32.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cuadazfew3jsnfkicvys2zdiv53nieztkryasl55qifqe5c5hyba._file

Verdict:

malicious

RevCodeRAT

44e0cbb71f45ffa77eecd718ba1bba3362da2b7d1ef260474a39d143acd65260

RevCodeRAT

4a2d48d163b550561583e4e5811dc43cb67045e7a9816c30fb8fde4af8dd06d5

RevCodeRAT

4dec812952bd5e2e6ee08fec35c3d78887feaf0269cf4f624b965b5f8c481652

RevCodeRAT

78be18a8bdab5baf14aa5c195ce9f5636750cd4fee2d3bbc3528f4ed8f9ad9ee

RevCodeRAT

968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413

RevCodeRAT

b426493d22cf9ad03bb8958bb2d994119dd6fb014c23855775dd7a9660bb51a9

RevCodeRAT

b4fbe906439597a3d05b94f3a7001069687e598cabc9a82e47d6c43046be10a5

RevCodeRAT

ea49f722d6874e9b0b754f8116edceee6cdf4b85aa893d1b86053bfc506e5602

RevCodeRAT

fe2f20398cff7bea0e10e10940e0936e2525ba8dba51263387f1b1d82d8b1aea

RevCodeRAT

+ 48 additional samples on MalwareBazaar

Result

Malware family:

webmonitor

Score:

10/10

Tags:

family:webmonitor backdoor infostealer persistence rat

Link:

https://tria.ge/reports/210701-xgpwjnvva2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

RevcodeRat, WebMonitorRat

WebMonitor Payload

Unpacked files

SH256 hash:

1c5e0a0d909d1da24af87967a1e154c8aa490a1f99c6624e7214d20eb84f4fec

MD5 hash:

81faf15c7e3c9446d906659f7c7a9f16

SHA1 hash:

d7e05a22b109ce608109dc509029a7fe22b4b8bf

Link:

https://www.unpac.me/results/3c214a16-d851-47b9-bf4d-8d9a2e822d96/

SH256 hash:

57f263dbd0203860a31c4b2231375e77e447f89277413582ee5de07a49942055

MD5 hash:

f7231dca052063cf269d31a7b255174e

SHA1 hash:

c1825853f5ec3d7928c581ce70696f77a99f6112

Detections:

win_webmonitor_w0

Link:

https://www.unpac.me/results/3c214a16-d851-47b9-bf4d-8d9a2e822d96/

Parent samples :

ea49f722d6874e9b0b754f8116edceee6cdf4b85aa893d1b86053bfc506e5602
78be18a8bdab5baf14aa5c195ce9f5636750cd4fee2d3bbc3528f4ed8f9ad9ee
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
35975410919029f5c15ea420be97c10c327b94a2aa9e9b044e15660aede8c509
fe2f20398cff7bea0e10e10940e0936e2525ba8dba51263387f1b1d82d8b1aea
b426493d22cf9ad03bb8958bb2d994119dd6fb014c23855775dd7a9660bb51a9
4dec812952bd5e2e6ee08fec35c3d78887feaf0269cf4f624b965b5f8c481652
4a2d48d163b550561583e4e5811dc43cb67045e7a9816c30fb8fde4af8dd06d5
15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02
6095dd10965d4e081e87c366736e0305b7d42f84dbdb10471bcedacfe145f7a5
84d9088f856e12f998ce324510f185b9e6939c8d1cb2cdb46eb9b38baf879619
7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a
0ed8f93b98f9cfff89559df9e0a8d360cab3dde1abfa2992216b4a98c5ca1253
d6593053bda046cd96e0e5e508e0f57622c464738838b84984e35e683d46c414

SH256 hash:

f0e09099238c4fcb905f7238305e783db087ef677182f81131a57b6bba934808

MD5 hash:

650d95cca3b41ddefb796edc04fdfaf8

SHA1 hash:

c1357b90618db961cdb8975500e3529b31ff0be3

Link:

https://www.unpac.me/results/3c214a16-d851-47b9-bf4d-8d9a2e822d96/

SH256 hash:

15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02

MD5 hash:

d168a301aeea42495bfa790ed012223b

SHA1 hash:

aa6ace276b374e41a5ec7ad7bd6cf09722756027

Link:

https://www.unpac.me/results/3c214a16-d851-47b9-bf4d-8d9a2e822d96/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevCodeRAT

exe 15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/169057/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample