MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413
SHA3-384 hash: 5f56ee9e7fd9535c94bb376597995df32fdac78c85083d813533a7005b572c00f0a97cea96edad6df1690eee35aaa42b
SHA1 hash: 72ff48fbd0d0db7ee83e90edee6d90eee6719a57
MD5 hash: bd35dd1bc38521c4feb42f5ca266900c
humanhash: friend-cardinal-fix-illinois
File name:MATCH_OUTSTANDING_BILL.exe
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:1'370'112 bytes
First seen:2021-06-21 05:05:23 UTC
Last seen:2021-06-21 05:52:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:+xHSquPHpiwFbzMDh66b/Shc0nz1h37YhIUfv4YgFN:ThF3MDh66DVuz11YuUfwYoN
Threatray 508 similar samples on MalwareBazaar
TLSH 7755E12036E69148D5FF1B318DB9D1C403BA7A673B55CF2E648A224C8D13753DB12AEB
Reporter GovCERT_CH
Tags:exe RevCodeRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MATCH_OUTSTANDING_BILL.exe
Verdict:
No threats detected
Analysis date:
2021-06-21 05:07:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/be0d53fd-c21b-4349-8461-c82c09a8171c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.843.21353.14607.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/576740d1-0fa1-4606-8f1c-cd62d6e6f66e
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/805055
Signature
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 02:36:53 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s2gpdfkang5l343hewjhdoru7qpbjgqyevoel7ebhdinukz52qjq._file
Verdict:
malicious
Similar samples:
1167a7d5a6192107c841eee3d1292914e2ddbe6b661f2c2c41f1c1977ac97372
RevCodeRAT
3c8d5a42b3b1e9ec4c489d8ec98ba60d6d107e62b2d1a2cc43570840374ff05f
RevCodeRAT
44e0cbb71f45ffa77eecd718ba1bba3362da2b7d1ef260474a39d143acd65260
RevCodeRAT
4a2d48d163b550561583e4e5811dc43cb67045e7a9816c30fb8fde4af8dd06d5
RevCodeRAT
4dec812952bd5e2e6ee08fec35c3d78887feaf0269cf4f624b965b5f8c481652
RevCodeRAT
78be18a8bdab5baf14aa5c195ce9f5636750cd4fee2d3bbc3528f4ed8f9ad9ee
RevCodeRAT
b426493d22cf9ad03bb8958bb2d994119dd6fb014c23855775dd7a9660bb51a9
RevCodeRAT
b4fbe906439597a3d05b94f3a7001069687e598cabc9a82e47d6c43046be10a5
RevCodeRAT
ea49f722d6874e9b0b754f8116edceee6cdf4b85aa893d1b86053bfc506e5602
RevCodeRAT
fe2f20398cff7bea0e10e10940e0936e2525ba8dba51263387f1b1d82d8b1aea
RevCodeRAT
+ 498 additional samples on MalwareBazaar
Result
Malware family:
webmonitor
Create hunting rule
Score:
  10/10
Tags:
family:webmonitor backdoor infostealer persistence rat
Link:
https://tria.ge/reports/210621-p9d6tlbc4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
RevcodeRat, WebMonitorRat
WebMonitor Payload
Unpacked files
SH256 hash:
82fe42ffa7c2160c4ba79b666ba52f6dce210e0be5cbbb1419ddf3058215568b
MD5 hash:
a7c717e07a9e8fc3408914687859cf8a
SHA1 hash:
862f0e3f4f99c7674a540327ba08792e8a6cf5a1
Link:
https://www.unpac.me/results/aa0d958f-a070-4ffe-85af-edd34d2e7bab/
SH256 hash:
968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413
MD5 hash:
bd35dd1bc38521c4feb42f5ca266900c
SHA1 hash:
72ff48fbd0d0db7ee83e90edee6d90eee6719a57
Link:
https://www.unpac.me/results/aa0d958f-a070-4ffe-85af-edd34d2e7bab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevCodeRAT

Executable exe 968cf1954069babdf367259271ba34fc1e149a18255c45fc8138d0da2b3dd413

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments