MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffb3be6dd62f3dff6a879c8c3517e29cc6def1d675553efa45d40897295ec862. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevCodeRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffb3be6dd62f3dff6a879c8c3517e29cc6def1d675553efa45d40897295ec862
SHA3-384 hash: 47429cdfb4b754a58b6c8d09b17ec66cf0288a8ee340e594acd604164d56fb8562556554ad04d8b9df6590fb6235df6b
SHA1 hash: 9a1457c856d4f11a751a70b33294e297e7a24d60
MD5 hash: dfaeb668b7033674dc2743ef5f891b45
humanhash: one-october-tennessee-stairway
File name:dfaeb668b7033674dc2743ef5f891b45.exe
Download: download sample
Signature RevCodeRAT
Create hunting rule
File size:374'272 bytes
First seen:2021-06-29 07:04:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 83f1eadde0565f0580fee025e51fc7c8 (2 x RevCodeRAT)
ssdeep 6144:SxLA03gTW7+U1jyNN7saOIdTy56gmG4BvMuyrIQyQhAdATguSmtA9qyLQyX+6C:SxLABYaOIxylmGEvMlEnQhbgxmtAuu+
Threatray 1'663 similar samples on MalwareBazaar
TLSH 1C8423F54C9F1232C1F351F9B9C8C6111A8F61460AEE09FA51EA2C6360F97C58F5EA27
Reporter abuse_ch
Tags:exe RAT RevCodeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dfaeb668b7033674dc2743ef5f891b45.exe
Verdict:
No threats detected
Analysis date:
2021-06-29 07:16:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2fd3ab8-2c7b-4117-a113-53f0fb72f7bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RevCodeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168706/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Malware.WebMonitorRAT-7663776-1
Create hunting rule

Win.Malware.Fugrafa-7663777-0
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RevCodeRAT.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/76a480fb-74c0-436f-bfda-67e6ae570de9
Result
Threat name:
WebMonitor RAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/809204
Signature
Antivirus / Scanner detection for submitted sample
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Creates autostart registry keys with suspicious names
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected WebMonitor RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffb3be6dd62f3dff6a879c8c3517e29cc6def1d675553efa45d40897295ec862/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-28 17:36:25 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=76z343owf46762uhtsgdkf7cttdn54owovkt56sf2qejokk6zbra._file
Verdict:
malicious
Similar samples:
7910fea09618fde1ba6c2e3ea088de50109e685d20ae1c08df2f8b530fddd964
RevCodeRAT
7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696
RevCodeRAT
a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a
RevCodeRAT
a6cbb0f97a2c34e7f937717c5562483873acc484526b5cad893243dc7450fcb3
RevCodeRAT
a97aec67e2a556ec45ea8aa3db146d119d39b14486db55ad5b930f8295eccfae
RevCodeRAT
ad5d194018074784d3a8ac9aa334d5b0b4c8ec9fe721ba7870ef054e29d4529d
RevCodeRAT
bd5d3ebe6150f53c1535e1667a18bbd4831751a414e7518dc8e1d15a19db95b3
RevCodeRAT
c74725fe1e3f3681bc7033ce7694b98075d395c06ba22989216d4288db559e85
RevCodeRAT
c968707cc9776419643ca1f0887a31954614629813f222ecc0e025b2efa3a815
RevCodeRAT
fee0b02e4e0358d8025fa74d2780dd557c2de871e03a82b3dd7aadaf451ea1a3
RevCodeRAT
+ 1'653 additional samples on MalwareBazaar
Result
Malware family:
webmonitor
Create hunting rule
Score:
  10/10
Tags:
family:webmonitor backdoor infostealer persistence rat upx
Link:
https://tria.ge/reports/210629-g5165ntdge/
Behaviour
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
RevcodeRat, WebMonitorRat
Unpacked files
SH256 hash:
ab71ffb518f0802251257a7a5c8b107a1659d4bdaae04b1698e2079a71056c82
MD5 hash:
99f0685b66a1378da325f746af950387
SHA1 hash:
050a5270ed025afd9c81e16ce75605bfdb945c6f
Detections:
win_webmonitor_w0
Create hunting rule
Link:
https://www.unpac.me/results/96335672-6164-4b73-b3e0-f6ca26d256b5/
SH256 hash:
ffb3be6dd62f3dff6a879c8c3517e29cc6def1d675553efa45d40897295ec862
MD5 hash:
dfaeb668b7033674dc2743ef5f891b45
SHA1 hash:
9a1457c856d4f11a751a70b33294e297e7a24d60
Link:
https://www.unpac.me/results/96335672-6164-4b73-b3e0-f6ca26d256b5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffb3be6dd62f3dff6a879c8c3517e29cc6def1d675553efa45d40897295ec862

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_RevCodeRAT
Create hunting rule
Author:ditekSHen
Description:Detects RevCode/WebMonitor RAT
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_webmonitor_w0
Create hunting rule
Author:James_inthe_box
Description:Revcode RAT
Reference:ee1b9659f2193896ce3469b5f90b82af3caffcba428e8524be5a9fdf391d8dd8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RevCodeRAT

Executable exe ffb3be6dd62f3dff6a879c8c3517e29cc6def1d675553efa45d40897295ec862

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1393567/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168706/

Comments