MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
SHA3-384 hash: c3dd33591d0dcaf2b4ffc0b811cf2a900b19b830824775e20be47da9529c00114c9d2781bb167bfd1ea4c1fad8a91cae
SHA1 hash: 84d65206243408b367ad0fd3234b8d26fc6e4314
MD5 hash: 149fdf05fd2659a44f84b7bea4ef1a8e
humanhash: robin-winter-wisconsin-tango
File name:Code.exe
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:1'186'030 bytes
First seen:2021-01-12 07:19:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae1a3b657fab2502fa4af9551805bcb6 (2 x AgentTesla, 1 x RevCodeRAT)
ssdeep 24576:yZ+rL2ECnuepCL4hDUffaRX0Ghznl+VDzLA0z:BTSUUVznonXz
Threatray 48 similar samples on MalwareBazaar
TLSH 5945F757398CBEC2D78A48F385474DAC11B0AC31E819468FA2C37935EF2592B14FF6A5
Reporter abuse_ch
Tags:exe Outlook RevCodeRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: EUR05-DB8-obe.outbound.protection.outlook.com
Sending IP: 40.92.89.42
From: beatrice dizy <dizys2@msn.com>
Subject: 6 tickets PCS de 250€
Attachment: Code.rar (contains "Code.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Code.exe
Verdict:
Malicious activity
Analysis date:
2021-01-12 07:27:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/729d1423-463f-4a2a-9775-d7715383888b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RevCodeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111412/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.33614.30205.27626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/578780
Signature
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338439 Sample: Code.exe Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected WebMonitor RAT 2->40 42 Machine Learning detection for sample 2->42 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->44 6 Code.exe 1 2 2->6         started        10 Player.exe.exe 2->10         started        12 Player.exe.exe 2->12         started        process3 file4 22 C:\Users\user\AppData\...\Player.exe.exe, PE32 6->22 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 6->46 48 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->48 50 Creates multiple autostart registry keys 6->50 58 4 other signatures 6->58 14 Code.exe 2 13 6->14         started        52 Multi AV Scanner detection for dropped file 10->52 54 Machine Learning detection for dropped file 10->54 56 Contain functionality to detect virtual machines 10->56 18 Player.exe.exe 10->18         started        20 Player.exe.exe 12->20         started        signatures5 process6 dnsIp7 24 ntp.se 194.58.200.20, 123, 50464, 51650 NTP-SEAnycastedNTPservicesfromNetnodIXPsSE Sweden 14->24 26 ericpt.wm01.to 45.153.186.90, 443, 49739, 49740 MVPShttpswwwmvpsnetEU Bulgaria 14->26 36 4 other IPs or domains 14->36 60 Creates autostart registry keys with suspicious names 14->60 62 Creates multiple autostart registry keys 14->62 64 Installs a global keyboard hook 14->64 28 sdns.se 18->28 30 82d2646fa5fd9b5a48e9eec62742a1d2.se 18->30 32 sdns.se 20->32 34 82d2646fa5fd9b5a48e9eec62742a1d2.se 20->34 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 07:20:14 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqvz4qr4llu67gkwlv3knv6uw3k6hfhvenjzwrd2mm6iaputokrq._file
Verdict:
malicious
Similar samples:
0d2cf62b947967dcece71936fe76d44d03d97f11c6ec580c67f33761a99ef708
RevCodeRAT
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
RevCodeRAT
25321bc3e274b62ff03c184cd1a058645d41f842ce0b368019912ada6b3f34df
RevCodeRAT
4a2d48d163b550561583e4e5811dc43cb67045e7a9816c30fb8fde4af8dd06d5
RevCodeRAT
4dec812952bd5e2e6ee08fec35c3d78887feaf0269cf4f624b965b5f8c481652
RevCodeRAT
78be18a8bdab5baf14aa5c195ce9f5636750cd4fee2d3bbc3528f4ed8f9ad9ee
RevCodeRAT
8246f2b18a1592cc2a37c001e2415412f5e63d14220324ae8356981e25a4ba76
RevCodeRAT
b426493d22cf9ad03bb8958bb2d994119dd6fb014c23855775dd7a9660bb51a9
RevCodeRAT
e2f7e2ca58c527be8332bcea02a3e593eda09429bb30ce5ced6ef26724388f01
RevCodeRAT
fe2f20398cff7bea0e10e10940e0936e2525ba8dba51263387f1b1d82d8b1aea
RevCodeRAT
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210112-czbtn16xgx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3
MD5 hash:
149fdf05fd2659a44f84b7bea4ef1a8e
SHA1 hash:
84d65206243408b367ad0fd3234b8d26fc6e4314
Link:
https://www.unpac.me/results/aa1ee311-b595-4d12-9d4c-4e5833575507/
SH256 hash:
48d3943902402552bd0113fb9ff614361a5b009ee9c0d09adbb82044850bf3f2
MD5 hash:
a55e021dbdf430a37e76f56034e63b3c
SHA1 hash:
5651c5ab8d4517e526c66f164c3881c7c73a93f8
Detections:
win_webmonitor_w0
Create hunting rule
Link:
https://www.unpac.me/results/aa1ee311-b595-4d12-9d4c-4e5833575507/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_RevCodeRAT
Create hunting rule
Author:ditekSHen
Description:Detects RevCode/WebMonitor RAT
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_webmonitor_w0
Create hunting rule
Author:James_inthe_box
Description:Revcode RAT
Reference:ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevCodeRAT

rar ff264d7e1f11b7f9e9e01cb24a65c68a7414e4de91e6bcf178ba36ba106f7684

RevCodeRAT

Executable exe 2c2b9e423c5ae9ef99565d76a6d7d4b6d5e394f523539b447a633c803e9372a3

(this sample)

  
Dropped by
MD5 325d388e2625e047a3a51f00526a785c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ff264d7e1f11b7f9e9e01cb24a65c68a7414e4de91e6bcf178ba36ba106f7684
Cape
Cape
https://www.capesandbox.com/analysis/111412/

Comments