MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0
SHA3-384 hash: eac2f00aaa697810f68c3f56966563796c61f16ca462fe959462e3337c5a43f9afe32c02b5f5dbb0077e786eb03cee53
SHA1 hash: 813dc57d206536db600a16f8a5da362240cb8516
MD5 hash: 1502cb8a7caf4853614f9fd8f860631e
humanhash: ceiling-diet-two-nine
File name:1502cb8a7caf4853614f9fd8f860631e.exe
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:738'816 bytes
First seen:2021-06-04 07:22:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:L7VmgAiqs+Dq1eoNJjfbNsKgolRaicMH4JX9osdQIDP8mdrC+cCpPqM9:LhmgAg+DqZjqZIcMH4JFdQIT/bcw1
Threatray 148 similar samples on MalwareBazaar
TLSH F9F4ACB123B8DC45CA6D0DB0CC04CAFA9406FD21DDFAD676E5CABE3E6F312955A04942
Reporter abuse_ch
Tags:exe RevCodeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1502cb8a7caf4853614f9fd8f860631e.exe
Verdict:
Malicious activity
Analysis date:
2021-06-04 07:33:00 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/56c08f1d-f05d-4718-be3a-0d93d362841f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164563/
Detection(s):
SecuriteInfo.com.Atros7.CEUC.23894.23204.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Creating a process from a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797151
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429550 Sample: 39dqllQVOv.exe Startdate: 04/06/2021 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 4 other signatures 2->61 7 explorer.exe 2->7         started        9 despacito.exe 2 2->9         started        12 despacito.exe 2->12         started        14 39dqllQVOv.exe 4 2->14         started        process3 file4 17 despacito.exe 1 2 7->17         started        65 Writes to foreign memory regions 9->65 67 Allocates memory in foreign processes 9->67 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->69 20 AppLaunch.exe 9->20         started        22 AppLaunch.exe 9->22         started        71 Injects a PE file into a foreign processes 12->71 24 AppLaunch.exe 12->24         started        26 AppLaunch.exe 12->26         started        41 C:\Users\user\AppData\...\39dqllQVOv.exe.log, ASCII 14->41 dropped 28 cmd.exe 2 14->28         started        31 explorer.exe 1 14->31         started        signatures5 process6 file7 47 Antivirus detection for dropped file 17->47 49 Multi AV Scanner detection for dropped file 17->49 51 Machine Learning detection for dropped file 17->51 53 3 other signatures 17->53 33 AppLaunch.exe 12 17->33         started        39 C:\Users\user\Music\despacito.exe, PE32 28->39 dropped 37 conhost.exe 28->37         started        signatures8 process9 dnsIp10 43 192.168.2.1 unknown unknown 33->43 45 xxaim.wm01.to 33->45 63 Contains functionality to register a low level keyboard hook 33->63 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0/
Threat name:
ByteCode-MSIL.Hacktool.Boilod
Create hunting rule
Status:
Suspicious
First seen:
2018-06-14 22:28:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
31 of 47 (65.96%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxc4wqgs2zkymxwrqjui6tfwepculxmyoxdbtc7rnvqw4u6ff2ya._file
Verdict:
unknown
Similar samples:
028fb2b55806708dc61ab34ad360998449e5710eca9d0f85cae4987c6144acf6
RevCodeRAT
0ba7d87707e5cd53958cb9afd59f1c70b76bad4ba28341e8bdee3d32bf417edb
RevCodeRAT
21ba0bed0b05a2ce68496e73a5c103fb5b815ac2c77e997f46e5d09666c1c978
RevCodeRAT
32560ccc4af2d37c587bbc551e1dd8127b8efaafb199f74c18ec111a812a7f30
RevCodeRAT
3da1df40a9b987cd1fa8d9d4ddab806178ae4157ecb01f22c849220be33416f1
RevCodeRAT
846c3069227802dc9a79fe7ffdeaf474866d52653a620a5d03e91c23732127b8
RevCodeRAT
8b0d6717a7d98595e7727f5309e19a1f3dae7986d1809f14f8de4edfb2810a3e
RevCodeRAT
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
RevCodeRAT
be0ef76b404286ed958cf94b39682e20feac93c0d89c241a6a2cd95af19c25da
RevCodeRAT
d1d0ac76e59b9e2a8ae3a433e0186d74fc61417c89fe5ee4b93c02faa1dc58f8
RevCodeRAT
+ 138 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210604-xtw6m4g5ys/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
e97475ac9eae138293ca1966656cf631d3a9219e58d0a44224068df4a7b03179
MD5 hash:
fa13ae0158cad8096936920cf65f5abd
SHA1 hash:
e79df52c3f25da84155887c0f083a06ec99178a6
Link:
https://www.unpac.me/results/d44e7c81-3e8f-4df1-af2b-0bc5f4615962/
SH256 hash:
2d72a7a80ffbabe5226e1c68e02d2da298ff7c4625f2ef61ec66297a360dd0d7
MD5 hash:
299b6ab94ab934e01a99a93a681d769b
SHA1 hash:
b99f4b634f389766e653d91e0cf60187d9fb6385
Detections:
win_webmonitor_w0
Create hunting rule
Link:
https://www.unpac.me/results/d44e7c81-3e8f-4df1-af2b-0bc5f4615962/
SH256 hash:
bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0
MD5 hash:
1502cb8a7caf4853614f9fd8f860631e
SHA1 hash:
813dc57d206536db600a16f8a5da362240cb8516
Link:
https://www.unpac.me/results/d44e7c81-3e8f-4df1-af2b-0bc5f4615962/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RevCodeRAT

Executable exe bdc5cb40d2d655865ed182688f4cb623c545dd9875c6198bf16d616e53c52eb0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1322201/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/164563/

Comments