Overview

overview

10

Static

static

Trojan.Win...50.exe

windows7-x64

10

Trojan.Win...50.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2022 04:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe

  • Size

    2.1MB

  • MD5

    8b9cccdb24eb9b20f9fd3119706f4471

  • SHA1

    711e1172cd8783297d9a148a8a8c4743fbd6e89d

  • SHA256

    3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50

  • SHA512

    d69242390b6e30c749ba0274281555617ad0408310b26571e6cb7b18df8addf525c046092747ea5db8cd0c157f2acc64d500f2fcfc73a94a98b317960a5f6aa1

  • SSDEEP

    49152:slwDTibTrn2+eWekrP90yVJNMfw45uWIXZkv8:slwD+jnnxekrP9zJWwyvEkk

Score
10/10
webmonitorbackdoorevasioninfostealerrat

Malware Config

Extracted

Family

webmonitor

C2

therealmatrixs.wm01.to:443

Attributes
  • config_key

    Pqe2NRmv6q77pu6rspeYtwpwbbWkEwWt

  • private_key

    TWF2E2Jad

  • url_path

    /recv5.php

Signatures

  • RevcodeRat, WebMonitorRat

    WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.

    backdoorratinfostealerwebmonitor
  • WebMonitor payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe
    "C:\Users\Admin\AppData\Local\Temp\Trojan.Win32.Revcode.ci-3a9c95abba3c0563bae4edc28b992d16df926ac7c7476ae565e3c3a4095a0d50.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4252-132-0x0000000000400000-0x000000000095F000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/4252-133-0x00000000772E0000-0x0000000077483000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4252-134-0x0000000000400000-0x000000000095F000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/4252-135-0x00000000772E0000-0x0000000077483000-memory.dmp

    Filesize

    1.6MB

    Download