MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28fd0fcdf202f29eaaee33d23939cd5bdd75bd68ee4c7815d4ca4dd2e6a04be5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28fd0fcdf202f29eaaee33d23939cd5bdd75bd68ee4c7815d4ca4dd2e6a04be5
SHA3-384 hash: bdbc00ce9ef03e66f0335845b643dd39e1acb3b73d29407cba7a6fcd03fcfdef49f1810d2bf484c2de36a5022a1f9458
SHA1 hash: d049bc23f0604897e32ac0f76f52677a7c8ce991
MD5 hash: a0cb248c9464e9ea4f72ebc7d7807e98
humanhash: minnesota-diet-potato-jersey
File name:OUTSTANDING_DEBTS.exe
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:1'322'252 bytes
First seen:2021-08-16 05:09:50 UTC
Last seen:2021-08-16 05:45:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 82004e82653b7bafbfcf73a18d8cef95 (3 x Loki, 3 x RemcosRAT, 1 x RevCodeRAT)
ssdeep 24576:3qi8cepZHTsP09VGLHRteRCVdjoWfHNcL9NTYV82qU9tUk+MPAnh7wr:3EdTsPHuCPoQtgNTe82vhnPRr
Threatray 80 similar samples on MalwareBazaar
TLSH T1D655F100BDC4E0B2CB7538344BB6D0B55CAD1971271286DFA39C697A6F79BD2A83530E
Reporter GovCERT_CH
Tags:exe RevCodeRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OUTSTANDING_DEBTS.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-16 05:10:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/11770611-0161-44c9-81fc-0781d68eb95c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179409/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.29163.29470.20918.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/049f375d-c877-45fd-bbaf-2b4ed5cf1fd0
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/833296
Signature
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Installs a global keyboard hook
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28fd0fcdf202f29eaaee33d23939cd5bdd75bd68ee4c7815d4ca4dd2e6a04be5/
Threat name:
Win32.Trojan.Revcode
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 01:39:39 UTC
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fd6q7tpsalzj5kxogpjdsoonlpoxlpli5zghqfouzjg5fzvajpsq._file
Verdict:
malicious
Similar samples:
0ed8f93b98f9cfff89559df9e0a8d360cab3dde1abfa2992216b4a98c5ca1253
RevCodeRAT
142cf7f01ff7c99da5e16196325e3fa3a6d867ff0e50696d727c92696ba97ccf
RevCodeRAT
3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
RevCodeRAT
44e0cbb71f45ffa77eecd718ba1bba3362da2b7d1ef260474a39d143acd65260
RevCodeRAT
7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a
RevCodeRAT
77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210
RevCodeRAT
d4511fa399217b186b74d425d5a0857ae7fe394c9993d76f79beccf2ecea92e2
RevCodeRAT
+ 70 additional samples on MalwareBazaar
Result
Malware family:
webmonitor
Create hunting rule
Score:
  10/10
Tags:
family:webmonitor backdoor infostealer persistence rat suricata
Link:
https://tria.ge/reports/210816-1tqzc6y4ha/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
RevcodeRat, WebMonitorRat
WebMonitor Payload
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
Unpacked files
SH256 hash:
cac2b683520f786a28c3194ec14dc721d70047be3fd72bf21cf708b02ef9aa99
MD5 hash:
23be9229fda02c0c2e5e6bb57c2621a3
SHA1 hash:
f2a7f6cc237459cd8f2c951d651d2f223722173b
Detections:
win_webmonitor_w0
Create hunting rule
Link:
https://www.unpac.me/results/dd1a7503-6d57-46e1-bf02-58af1fc60104/
SH256 hash:
28fd0fcdf202f29eaaee33d23939cd5bdd75bd68ee4c7815d4ca4dd2e6a04be5
MD5 hash:
a0cb248c9464e9ea4f72ebc7d7807e98
SHA1 hash:
d049bc23f0604897e32ac0f76f52677a7c8ce991
Link:
https://www.unpac.me/results/dd1a7503-6d57-46e1-bf02-58af1fc60104/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28fd0fcdf202f29eaaee33d23939cd5bdd75bd68ee4c7815d4ca4dd2e6a04be5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RevCodeRAT
Create hunting rule
Author:ditekSHen
Description:Detects RevCode/WebMonitor RAT
Rule name:win_webmonitor_w0
Create hunting rule
Author:James_inthe_box
Description:Revcode RAT
Reference:ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevCodeRAT

Executable exe 28fd0fcdf202f29eaaee33d23939cd5bdd75bd68ee4c7815d4ca4dd2e6a04be5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/179409/

Comments