MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210
SHA3-384 hash: 3cb182768087c31c32b244281fa52818316957188ab3c6a02a95475e36aaa8286df5f12f322e2d2f95cbeef5f89cb883
SHA1 hash: e7e0ec21e7cb1d67c906169e6e039d4b29c423c7
MD5 hash: d39da4595ca51a748ac33447965d80e3
humanhash: december-vermont-juliet-georgia
File name:STATEMENT OF ACCOUNT.exe
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:985'692 bytes
First seen:2021-08-10 13:10:28 UTC
Last seen:2021-08-11 06:02:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f6b61b8e7cfb6c1ac49476384f4084e5 (8 x Loki, 4 x Formbook, 1 x SnakeKeylogger)
ssdeep 24576:0FsVd+29QFw53L5o3DVUYR35Xc32WBjshPQ:0FsqtFwaFi3JX
Threatray 66 similar samples on MalwareBazaar
TLSH T1752512BD38599235C4FCDC783A1EB25B6AD3E2A1A31838137853A85C6CD5CC5D92ACDC
Reporter cocaman
Tags:exe RevCodeRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
STATEMENT OF ACCOUNT.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-10 13:21:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c82f4931-8688-4496-b62f-307b05971564

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177932/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.1991.19356.9122.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f4f843d5-a376-45c0-9d60-02c8af35e72a
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830172
Signature
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 02:14:07 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5zs45efabilw34tlfc6kegtficjtwba7iizo5jn7c6qdrtoqiia._file
Verdict:
malicious
Similar samples:
0ed8f93b98f9cfff89559df9e0a8d360cab3dde1abfa2992216b4a98c5ca1253
RevCodeRAT
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
RevCodeRAT
15003064a4b6d326954815712d6468af76d413335470092fbd820b02745d3e02
RevCodeRAT
3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
RevCodeRAT
44e0cbb71f45ffa77eecd718ba1bba3362da2b7d1ef260474a39d143acd65260
RevCodeRAT
7252276a3d4ce0aaadb10b11422e4c4f625845c9c3359ffbaa63346b9fc65b4a
RevCodeRAT
968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413
RevCodeRAT
d4511fa399217b186b74d425d5a0857ae7fe394c9993d76f79beccf2ecea92e2
RevCodeRAT
+ 56 additional samples on MalwareBazaar
Result
Malware family:
webmonitor
Create hunting rule
Score:
  10/10
Tags:
family:webmonitor backdoor infostealer persistence rat suricata
Link:
https://tria.ge/reports/210810-5y41ntyfkx/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
RevcodeRat, WebMonitorRat
WebMonitor Payload
suricata: ET MALWARE WebMonitor/RevCode RAT CnC Domain in DNS Lookup
Unpacked files
SH256 hash:
93069226a656cba6f771081d5168a16e0634218cef4a118aba1a9192013c1f61
MD5 hash:
6b388d5b523a9f444139a257075ea08b
SHA1 hash:
98b581adeacb4ce790c5602e4d31d3cc148e1278
Detections:
win_webmonitor_w0
Create hunting rule
Link:
https://www.unpac.me/results/ea6126d9-871d-4876-8767-a83ca4b23f8e/
SH256 hash:
77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210
MD5 hash:
d39da4595ca51a748ac33447965d80e3
SHA1 hash:
e7e0ec21e7cb1d67c906169e6e039d4b29c423c7
Link:
https://www.unpac.me/results/ea6126d9-871d-4876-8767-a83ca4b23f8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RevCodeRAT
Create hunting rule
Author:ditekSHen
Description:Detects RevCode/WebMonitor RAT
Rule name:win_webmonitor_w0
Create hunting rule
Author:James_inthe_box
Description:Revcode RAT
Reference:ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevCodeRAT

rar 381c0425a341144eabce9490808898b95dfeeadb09aa280116eb688b93f3abeb

RevCodeRAT

Executable exe 77732e74850050bb6f935945e510d32a0499d820fa1197752df8bd01c66e8210

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 381c0425a341144eabce9490808898b95dfeeadb09aa280116eb688b93f3abeb
Cape
Cape
https://www.capesandbox.com/analysis/177932/

Comments