MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a
SHA3-384 hash: 709d79124b17ae864cbdbf297630ad73d83a02c6c2bfaa1a2f6394f188c5cf3fb8ca59f5839372adc60de79ff7269754
SHA1 hash: 63f1c19bef78a88efa1139f8f6174caab6842174
MD5 hash: 065f86911f83ae3ce15517458719cd38
humanhash: green-jersey-ceiling-thirteen
File name:REQUEST FOR QUOTATION.exe
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:1'465'492 bytes
First seen:2021-08-03 12:37:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 49be0836dac021f86af2cb207b4613c8 (6 x Loki, 4 x Formbook, 2 x SnakeKeylogger)
ssdeep 24576:4A27dx8DJ+uqhWnJotOEPXblLxOXGOHFi80jb:L0x8d+ukx9PLFxKTQ82b
Threatray 79 similar samples on MalwareBazaar
TLSH T15F659E10B3ED922FF1327AF5AFFAC16DC669B9F84B27C2AF118415074695D805B227B0
Reporter cocaman
Tags:exe RevCodeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
REQUEST FOR QUOTATION.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-03 12:40:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6863e626-f069-404e-af26-9d72ee6a67df

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RevCodeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/176041/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.1692.10189.6566.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/630e7249-43c9-48bb-8ae2-6b25a10aa6a9
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/826132
Signature
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Detected unpacking (changes PE section rights)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a/
Threat name:
Win32.Trojan.Revcode
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 00:54:32 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojjco2r5jtqkvlnrbmiuelsmj5rfqrojym2z765kmm2gxh6glnfa._file
Verdict:
malicious
Similar samples:
0ed8f93b98f9cfff89559df9e0a8d360cab3dde1abfa2992216b4a98c5ca1253
RevCodeRAT
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
RevCodeRAT
15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02
RevCodeRAT
3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
RevCodeRAT
44e0cbb71f45ffa77eecd718ba1bba3362da2b7d1ef260474a39d143acd65260
RevCodeRAT
6095dd10965d4e081e87c366736e0305b7d42f84dbdb10471bcedacfe145f7a5
RevCodeRAT
7696274f6270b793b2dffc5b283a104be475d79b440500478780e24f6436fd5a
RevCodeRAT
968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413
RevCodeRAT
d4511fa399217b186b74d425d5a0857ae7fe394c9993d76f79beccf2ecea92e2
RevCodeRAT
+ 69 additional samples on MalwareBazaar
Result
Malware family:
webmonitor
Create hunting rule
Score:
  10/10
Tags:
family:webmonitor backdoor infostealer persistence rat suricata
Link:
https://tria.ge/reports/210803-9ylq7hrz8n/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
RevcodeRat, WebMonitorRat
WebMonitor Payload
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
Unpacked files
SH256 hash:
2e00bb2eeb226b2891fd5f409ba0ad5881425d50bad1d01d7643da01deb9fb6b
MD5 hash:
6a410937337614fd6becdfd0b8101cc6
SHA1 hash:
bba3f20646fdd8ff87beb2fd21405958ff19c5fa
Detections:
win_webmonitor_w0
Create hunting rule
Link:
https://www.unpac.me/results/98bc2076-9912-4616-9fb4-e84dd6af149b/
SH256 hash:
7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a
MD5 hash:
065f86911f83ae3ce15517458719cd38
SHA1 hash:
63f1c19bef78a88efa1139f8f6174caab6842174
Link:
https://www.unpac.me/results/98bc2076-9912-4616-9fb4-e84dd6af149b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RevCodeRAT
Create hunting rule
Author:ditekSHen
Description:Detects RevCode/WebMonitor RAT
Rule name:win_webmonitor_w0
Create hunting rule
Author:James_inthe_box
Description:Revcode RAT
Reference:ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevCodeRAT

uue fffb11291364a2094200f145dc0c21ab0b147d5d27c3aaf1e53615d81919d04b

RevCodeRAT

Executable exe 7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fffb11291364a2094200f145dc0c21ab0b147d5d27c3aaf1e53615d81919d04b
Cape
Cape
https://www.capesandbox.com/analysis/176041/

Comments