Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe
Resource
win10v2004-20220812-en
General
-
Target
Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe
-
Size
2.1MB
-
MD5
8b9cccdb24eb9b20f9fd3119706f4471
-
SHA1
711e1172cd8783297d9a148a8a8c4743fbd6e89d
-
SHA256
3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50
-
SHA512
d69242390b6e30c749ba0274281555617ad0408310b26571e6cb7b18df8addf525c046092747ea5db8cd0c157f2acc64d500f2fcfc73a94a98b317960a5f6aa1
-
SSDEEP
49152:slwDTibTrn2+eWekrP90yVJNMfw45uWIXZkv8:slwD+jnnxekrP9zJWwyvEkk
Malware Config
Extracted
webmonitor
therealmatrixs.wm01.to:443
-
config_key
Pqe2NRmv6q77pu6rspeYtwpwbbWkEwWt
-
private_key
TWF2E2Jad
-
url_path
/recv5.php
Signatures
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 1 IoCs
resource yara_rule behavioral2/memory/4252-134-0x0000000000400000-0x000000000095F000-memory.dmp family_webmonitor -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Wine Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4252 Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4252 Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe 4252 Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4252