MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5777f5810423f9e0bc678ef97b0fef98a843d7e90e4257819850c0ef12ac8055. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5777f5810423f9e0bc678ef97b0fef98a843d7e90e4257819850c0ef12ac8055
SHA3-384 hash: da97b8d71287f66d7ad173105851840201dc3d31f55b07e4ea32de28dabdb13b621150d2827aa819f1c56eb5237dbc4c
SHA1 hash: d08898414e78ddc5e1cb5217efa28a012652ea53
MD5 hash: b97ef142d18371524053f1f302b2f195
humanhash: jig-pip-freddie-mirror
File name:DHL_PACKAGE_HD98232.pdf.001
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:1'101'260 bytes
First seen:2021-07-08 12:04:22 UTC
Last seen:Never
File type: rar
MIME type:application/x-rar
ssdeep 24576:ktaW1/3Fr+dBKfDu1jnRODUuCTTxHBoyuMsXfcTREVCOwF59smG:Ea4/3Fr+if61nR+81Nu3XfcdEVA3ymG
TLSH T1373523B896F4EBBA774635360078F1BF93996628CF903D0F5CB65781300B898AE4467D
Reporter cocaman
Tags:001 DHL rar RevCodeRAT


Avatar
cocaman
Malicious email (T1566.001)
From: "arrivals_notice@dhl.com" (likely spoofed)
Received: "from ip132.ip-137-74-3.eu (ip132.ip-137-74-3.eu [137.74.3.132]) "
Date: "8 Jul 2021 05:03:38 -0700"
Subject: "NOTICE OF ARRIVAL"
Attachment: "DHL_PACKAGE_HD98232.pdf.001"

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5777f5810423f9e0bc678ef97b0fef98a843d7e90e4257819850c0ef12ac8055/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 01:01:16 UTC
File Type:
Binary (Archive)
Extracted files:
14
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k537laieep46bpdhr34xwd7ptcuehv7jbzbfpamykdao6evmqbkq._file
Result
Malware family:
webmonitor
Create hunting rule
Score:
  10/10
Tags:
family:webmonitor backdoor infostealer persistence rat
Link:
https://tria.ge/reports/210708-nqghl5eldj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
RevcodeRat, WebMonitorRat
WebMonitor Payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/5777f5810423f9e0bc678ef97b0fef98a843d7e90e4257819850c0ef12ac8055

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevCodeRAT

rar 5777f5810423f9e0bc678ef97b0fef98a843d7e90e4257819850c0ef12ac8055

(this sample)

RevCodeRAT

Executable exe 6095dd10965d4e081e87c366736e0305b7d42f84dbdb10471bcedacfe145f7a5

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 6095dd10965d4e081e87c366736e0305b7d42f84dbdb10471bcedacfe145f7a5

Comments