Revolware (UC release) v0[.]4[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

Revolware (UC release) v0.4.zip
Size

4.8MB
MD5

1e55a10a81e2b625bcacb4fb33f7d8bf
SHA1

c5a2f20830777888ce0c2e9a6a1800a8ea4f4599
SHA256

ff5b867557467097017818196a7d36ad035bed89bdd61c25acea4a07848a07af
SHA512

f056d1ae895c506e5a168f9435bb0e882ff779f39b9866ba9576504de32fe63ea6abd2e37da20bc30f6c5aea59247c4b6abe25e0e552b1400c1a54172fff4ea2
SSDEEP

49152:+902rvysgdAx+O53yitYGSmTGh/qNwffAj3g/bTqSk6dn0:C02mwyq03/lgQ/6Ss

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/Revolware (UC release) v0.4/RWKM.exe

Files

Revolware (UC release) v0.4.zip
.zip
Revolware (UC release) v0.4/RWKM.exe
.exe windows:6 windows x64 arch:x64

1d556f58539312b7d7ec82e68b2e6088

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Ebatoria\Projects\RevolWare\x64\Release\RWKM.pdb

Imports

d3d9

Direct3DCreate9Ex

d3dx9_43

D3DXMatrixTranspose
D3DXVec3Transform

dwmapi

DwmExtendFrameIntoClientArea

ntdll

RtlAdjustPrivilege
RtlInitUnicodeString
RtlPcToFileHeader
NtLoadDriver
NtQuerySystemInformation
RtlWriteRegistryValue
RtlNtStatusToDosError
RtlCompareMemory
RtlVirtualUnwind
RtlCaptureContext
NtUnloadDriver
RtlLookupFunctionEntry
RtlCreateRegistryKey
RtlUnwind
RtlUnwindEx

shlwapi

SHDeleteKeyW

kernel32

IsValidCodePage
FindNextFileW
FindFirstFileExW
FindClose
GetFileAttributesExW
CreateProcessW
GetExitCodeProcess
GetFileType
EnumSystemLocalesW
Sleep
DeviceIoControl
GetTickCount64
MultiByteToWideChar
GlobalAlloc
GlobalFree
GlobalLock
WideCharToMultiByte
GlobalUnlock
LoadLibraryA
QueryPerformanceFrequency
GetProcAddress
FreeLibrary
QueryPerformanceCounter
SetLastError
GetFullPathNameW
GetSystemDirectoryW
VirtualQuery
LoadLibraryExW
CreateFileA
CreateThread
GetConsoleWindow
SetConsoleOutputCP
Process32First
SetConsoleTextAttribute
GetStdHandle
CreateToolhelp32Snapshot
GetLastError
Process32Next
CloseHandle
GetFileSizeEx
ReadFile
HeapAlloc
HeapReAlloc
GetACP
GetProcessHeap
MapViewOfFile
UnmapViewOfFile
CreateFileMappingA
GetUserDefaultLCID
IsValidLocale
GetLocaleInfoW
LCMapStringW
CompareStringW
GetCommandLineW
GetCommandLineA
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
FreeLibraryAndExitThread
ExitThread
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
RaiseException
InitializeSListHead
GetCurrentProcessId
GetStartupInfoW
IsDebuggerPresent
IsProcessorFeaturePresent
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CreateEventW
ResetEvent
SetEvent
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetStringTypeW
GetOEMCP
SetEndOfFile
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
CreateFileW
HeapSize
WriteConsoleW
HeapFree
WaitForSingleObject
GetConsoleOutputCP
FlushFileBuffers
GetModuleHandleW
ReadConsoleW
GetConsoleMode
GetCurrentThreadId
WaitForSingleObjectEx
GetExitCodeThread
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
TryEnterCriticalSection
DeleteCriticalSection
EncodePointer
DecodePointer
LCMapStringEx
GetSystemTimeAsFileTime
SetFilePointerEx

user32

GetWindow
DispatchMessageA
DestroyWindow
SetWindowPos
ShowWindow
SetWindowLongA
DefWindowProcA
CreateWindowExA
TranslateMessage
LoadIconA
PeekMessageA
RegisterClassExA
UpdateWindow
SetForegroundWindow
LoadCursorA
ScreenToClient
EnumWindows
ClientToScreen
IsChild
GetForegroundWindow
SetCapture
SetCursor
GetClientRect
ReleaseCapture
SetCursorPos
GetCursorPos
OpenClipboard
CloseClipboard
EmptyClipboard
GetClipboardData
SetClipboardData
GetKeyState
GetKeyboardState
GetAsyncKeyState
mouse_event
GetWindowThreadProcessId
GetCapture

imm32

ImmGetContext
ImmReleaseContext
ImmSetCompositionWindow

Sections

.text
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3.5MB - Virtual size: 3.5MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 54KB - Virtual size: 53KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 244B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Revolware (UC release) v0.4/RWKM.sys
.sys windows:10 windows x64 arch:x64

6c3a085ea0e27af17ec74009a5939543

Code Sign

78:47:ee:ef:db:42:7f:a0:45:0f:14:77:79:99:02:21
Certificate

Issuer

CN=WDKTestCert romal\,133012794520847836

Not Before

02/07/2022, 23:50

Not After

03/07/2032, 00:00

Subject

CN=WDKTestCert romal\,133012794520847836

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageKeyEncipherment
KeyUsageDataEncipherment

bc:d5:fc:75:ef:63:58:eb:8b:dd:54:2a:57:d5:62:44:a1:98:44:c7
Signer

Actual PE Digest

bc:d5:fc:75:ef:63:58:eb:8b:dd:54:2a:57:d5:62:44:a1:98:44:c7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Ebatoria\Projects\RevolWare\x64\Release\RWKM.pdb

Imports

ntoskrnl.exe

IofCompleteRequest
PsLookupProcessByProcessId
wcsstr
ProbeForRead
ProbeForWrite
IoGetCurrentProcess
KeStackAttachProcess
KeUnstackDetachProcess
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
MmCopyVirtualMemory
__C_specific_handler
RtlInitUnicodeString
IoCreateDevice
IoCreateSymbolicLink
IoDeleteDevice
IoDeleteSymbolicLink
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine

Sections

.text
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 646B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Revolware (UC release) v0.4/objects.list
Revolware (UC release) v0.4/termdd.sys
.dll windows:6 windows x64 arch:x64

e73d3f83260a4e815c70360018ea4c1f

Code Sign

61:04:b3:f5:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:13

Not After

25/07/2011, 19:23

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:9E78-864B-039D,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:15:23:0f:00:00:00:00:00:0a
Certificate

Issuer

CN=Microsoft Windows Verification PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/12/2009, 21:57

Not After

07/03/2011, 21:57

Subject

CN=Microsoft Windows,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:07:02:dc:00:00:00:00:00:0b
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

15/09/2005, 21:55

Not After

15/03/2016, 22:05

Subject

CN=Microsoft Windows Verification PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

e9:1d:27:a2:a0:39:ca:8f:55:cc:01:ae:81:b2:85:a9:9d:6d:64:20
Signer

Actual PE Digest

e9:1d:27:a2:a0:39:ca:8f:55:cc:01:ae:81:b2:85:a9:9d:6d:64:20

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

termdd.pdb

Imports

ntoskrnl.exe

KeInitializeEvent
ZwLoadDriver
IoGetDeviceObjectPointer
ZwUnloadDriver
IoBuildDeviceIoControlRequest
ObfDereferenceObject
ObfReferenceObject
IofCallDriver
KeWaitForSingleObject
ExEnterCriticalRegionAndAcquireResourceExclusive
ExReleaseResourceAndLeaveCriticalRegion
MmSizeOfMdl
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
IoInitializeIrp
memchr
IofCompleteRequest
ProbeForWrite
ExIsResourceAcquiredExclusiveLite
IoAcquireCancelSpinLock
IoReleaseCancelSpinLock
IoGetRequestorProcess
IoGetCurrentProcess
MmMapLockedPagesSpecifyCache
KeSetEvent
PsGetCurrentProcessId
_stricmp
ExInitializeResourceLite
ExDeleteResourceLite
ZwDeviceIoControlFile
ObReferenceObjectByHandle
IoFileObjectType
RtlLengthRequiredSid
RtlSubAuthoritySid
RtlInitializeSid
SeQueryInformationToken
RtlEqualSid
ExAllocatePoolWithQuotaTag
MmUserProbeAddress
IoCreateDevice
_vsnwprintf
RtlInitUnicodeString
RtlQueryRegistryValues
KeClearEvent
IoGetRequestorProcessId
ExEnterCriticalRegionAndAcquireResourceShared
ExReleaseResourceLite
ExAcquireResourceExclusiveLite
KeDelayExecutionThread
KeWaitForMultipleObjects
IoAllocateErrorLogEntry
IoWriteErrorLogEntry
PsCreateSystemThread
ExQueueWorkItem
DbgPrint
ZwQuerySystemInformation
ExEventObjectType
ZwClose
KeInitializeTimer
KeInitializeDpc
KeSetTimer
KeCancelTimer
RtlInitializeGenericTable
RtlEnumerateGenericTable
RtlDeleteElementGenericTable
RtlInsertElementGenericTable
RtlLookupElementGenericTable
IoStartPacket
IoSetStartIoAttributes
IoStartNextPacket
IoCreateController
IoDeleteController
IoAttachDeviceToDeviceStack
ExAcquireFastMutexUnsafe
ExReleaseFastMutexUnsafe
IoWMIRegistrationControl
IoDetachDevice
IoInvalidateDeviceState
PoStartNextPowerIrp
PoCallDriver
PoSetPowerState
KeReadStateEvent
KeBugCheckEx
ExFreePoolWithTag
IoDeleteDevice
ExAllocatePoolWithTag
__C_specific_handler

wmilib.sys

WmiSystemControl
WmiCompleteRequest

Exports

Exports

IcaAllocateWorkItem
IcaAssertStackLockedExclusive
IcaBreakOnDebugger
IcaBufferAlloc
IcaBufferAllocEx
IcaBufferError
IcaBufferFree
IcaBufferGetUsableSpace
IcaCallNextDriver
IcaChannelInput
IcaCloseHandle
IcaCreateHandle
IcaCreateThread
IcaFlowControlSleep
IcaFlowControlWait
IcaGetSizeForNoLowWaterMark
IcaLogError
IcaLogErrorEx
IcaQueueWorkItem
IcaQueueWorkItemEx
IcaRawInput
IcaReturnHandle
IcaSleep
IcaStackAllocatePool
IcaStackAllocatePoolWithTag
IcaStackFreePool
IcaStackTrace
IcaStackTraceBuffer
IcaSystemTrace
IcaSystemTraceBuffer
IcaTimerCancel
IcaTimerClose
IcaTimerCreate
IcaTimerStart
IcaWaitForMultipleObjects
IcaWaitForSingleObject
IcaZwClose
OutBufTracker

Sections

.text
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.edata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Revolware (UC release) v0.4/unloadDriver.bat

Sharing

General

Malware Config

Signatures

Files

1d556f58539312b7d7ec82e68b2e6088

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

d3d9

d3dx9_43

dwmapi

ntdll

shlwapi

kernel32

user32

imm32

Sections

.text Size: 1.2MB - Virtual size: 1.2MB

.rdata Size: 3.5MB - Virtual size: 3.5MB

.data Size: 10KB - Virtual size: 19KB

.pdata Size: 54KB - Virtual size: 53KB

_RDATA Size: 512B - Virtual size: 244B

.rsrc Size: 512B - Virtual size: 488B

.reloc Size: 6KB - Virtual size: 6KB

6c3a085ea0e27af17ec74009a5939543

Code Sign

78:47:ee:ef:db:42:7f:a0:45:0f:14:77:79:99:02:21Certificate

Extended Key Usages

Key Usages

bc:d5:fc:75:ef:63:58:eb:8b:dd:54:2a:57:d5:62:44:a1:98:44:c7Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

Sections

.text Size: 2KB - Virtual size: 1KB

.rdata Size: 1KB - Virtual size: 1KB

.data Size: 512B - Virtual size: 80B

.pdata Size: 512B - Virtual size: 120B

INIT Size: 1024B - Virtual size: 646B

.reloc Size: 512B - Virtual size: 20B

e73d3f83260a4e815c70360018ea4c1f

Code Sign

61:04:b3:f5:00:00:00:00:00:0dCertificate

Extended Key Usages

Key Usages

61:15:23:0f:00:00:00:00:00:0aCertificate

Extended Key Usages

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

61:07:02:dc:00:00:00:00:00:0bCertificate

Extended Key Usages

Key Usages

e9:1d:27:a2:a0:39:ca:8f:55:cc:01:ae:81:b2:85:a9:9d:6d:64:20Signer

Headers

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

wmilib.sys

Exports

Exports

Sections

.text Size: 35KB - Virtual size: 35KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 1024B - Virtual size: 1KB

.pdata Size: 2KB - Virtual size: 1KB

PAGE Size: 4KB - Virtual size: 4KB

.edata Size: 1KB - Virtual size: 1KB

INIT Size: 4KB - Virtual size: 4KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 168B

.text
Size: 1.2MB - Virtual size: 1.2MB

.rdata
Size: 3.5MB - Virtual size: 3.5MB

.data
Size: 10KB - Virtual size: 19KB

.pdata
Size: 54KB - Virtual size: 53KB

_RDATA
Size: 512B - Virtual size: 244B

.rsrc
Size: 512B - Virtual size: 488B

.reloc
Size: 6KB - Virtual size: 6KB

78:47:ee:ef:db:42:7f:a0:45:0f:14:77:79:99:02:21
Certificate

bc:d5:fc:75:ef:63:58:eb:8b:dd:54:2a:57:d5:62:44:a1:98:44:c7
Signer

.text
Size: 2KB - Virtual size: 1KB

.rdata
Size: 1KB - Virtual size: 1KB

.data
Size: 512B - Virtual size: 80B

.pdata
Size: 512B - Virtual size: 120B

INIT
Size: 1024B - Virtual size: 646B

.reloc
Size: 512B - Virtual size: 20B

61:04:b3:f5:00:00:00:00:00:0d
Certificate

61:15:23:0f:00:00:00:00:00:0a
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

61:07:02:dc:00:00:00:00:00:0b
Certificate

e9:1d:27:a2:a0:39:ca:8f:55:cc:01:ae:81:b2:85:a9:9d:6d:64:20
Signer

.text
Size: 35KB - Virtual size: 35KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 1024B - Virtual size: 1KB

.pdata
Size: 2KB - Virtual size: 1KB

PAGE
Size: 4KB - Virtual size: 4KB

.edata
Size: 1KB - Virtual size: 1KB

INIT
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 168B