MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42bce47fdbd23c02eebf406de09e04f029347d4b8c05a7d728e8b8149533fb4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42bce47fdbd23c02eebf406de09e04f029347d4b8c05a7d728e8b8149533fb4b
SHA3-384 hash: 54b5c6c56df1daa5b5e0f05497cce7badd6b3a84b66b5dcf913cd375f1bdb5f95103ff4df0a2be91f2af87cd0a91a0a2
SHA1 hash: 7f94ec5c90548dbe297ca2af4abcd79a984d2628
MD5 hash: 03cb2963c14ddda7400581aa0a4fdfc5
humanhash: gee-winner-spring-lion
File name:03cb2963c14ddda7400581aa0a4fdfc5.exe
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:1'806'472 bytes
First seen:2020-11-23 16:13:10 UTC
Last seen:2020-11-23 18:19:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5479775c1d012f10601477c1237fe7d4 (6 x QuasarRAT, 2 x BitRAT, 1 x RevCodeRAT)
ssdeep 24576:zNJDXIOaHsqMAjr2ihpA0ka66gXTmz9lkHscGgny7/:EXHvPCiD6Qimz9eTGGa
TLSH 0885BEDEA1A05436CC52163DB90AC6ABB92DBD032B28574EE6E43B487F3C15275353CE
Reporter abuse_ch
Tags:exe RevCodeRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545342
Signature
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect sleep reduction / modifications
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321760 Sample: 1Rv2jMLk7F.exe Startdate: 23/11/2020 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected WebMonitor RAT 2->44 46 Machine Learning detection for sample 2->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->48 8 1Rv2jMLk7F.exe 2->8         started        process3 signatures4 50 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->50 52 Contain functionality to detect virtual machines 8->52 54 Contains functionality to register a low level keyboard hook 8->54 56 5 other signatures 8->56 11 1Rv2jMLk7F.exe 3 13 8->11         started        process5 dnsIp6 32 f787c7f0ac197847a527b0853251001c.se 11->32 34 ee46304bef5ae66847a6f7a28d8c2cea.se 11->34 36 4 other IPs or domains 11->36 58 Creates autostart registry keys with suspicious names 11->58 60 Installs a global keyboard hook 11->60 62 Injects a PE file into a foreign processes 11->62 15 1Rv2jMLk7F.exe 1 11->15         started        18 1Rv2jMLk7F.exe 1 11->18         started        20 1Rv2jMLk7F.exe 1 11->20         started        22 1Rv2jMLk7F.exe 1 11->22         started        signatures7 process8 dnsIp9 38 239.255.255.250 unknown Reserved 15->38 24 conhost.exe 15->24         started        40 192.168.2.3, 123, 443, 49563 unknown unknown 18->40 26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42bce47fdbd23c02eebf406de09e04f029347d4b8c05a7d728e8b8149533fb4b/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 16:14:06 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201123-5t7lynsgq2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
ServiceHost packer
Unpacked files
SH256 hash:
330c3ff284c2e15774fbb7d9471d61ad5a33d7c94550b800a7259f51ff420793
MD5 hash:
e5321b26073aa804906a5cf43e89ace0
SHA1 hash:
de908c0527bf4b7f2b2d003bd64d52f8c582d0a0
Detections:
win_webmonitor_w0
Create hunting rule
Link:
https://www.unpac.me/results/e32d889c-3bc3-4221-8bb0-b17baa0a87ea/
SH256 hash:
42bce47fdbd23c02eebf406de09e04f029347d4b8c05a7d728e8b8149533fb4b
MD5 hash:
03cb2963c14ddda7400581aa0a4fdfc5
SHA1 hash:
7f94ec5c90548dbe297ca2af4abcd79a984d2628
Link:
https://www.unpac.me/results/e32d889c-3bc3-4221-8bb0-b17baa0a87ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42bce47fdbd23c02eebf406de09e04f029347d4b8c05a7d728e8b8149533fb4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_webmonitor_w0
Create hunting rule
Author:James_inthe_box
Description:Revcode RAT
Reference:ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RevCodeRAT

Executable exe 42bce47fdbd23c02eebf406de09e04f029347d4b8c05a7d728e8b8149533fb4b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/836287/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/105327/

Comments