Edit tour
Windows
Analysis Report
RevoUPort.exe
Overview
General Information
| Sample Name: | RevoUPort.exe |
| Analysis ID: | 1341997 |
| MD5: | 2f814a927d097a09911111dbf0fc2e93 |
| SHA1: | 8e4e953c60653a333182320345209765695d4e17 |
| SHA256: | ef70640d701bf406f7008c9ef7dc594019c063e4436415c97033f0a998697edf |
| Infos: | |
 | |
Detection
| Score: | 4 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 80% |
Signatures
Uses 32bit PE files
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Classification
- System is w10x64
RevoUPort.exe (PID: 6408 cmdline: "C:\Users\ user\Deskt op\RevoUPo rt.exe" -i nstall MD5: 2F814A927D097A09911111DBF0FC2E93)
- RevoUPort.exe (PID: 3320 cmdline:
"C:\Users\ user\Deskt op\RevoUPo rt.exe" /i nstall MD5: 2F814A927D097A09911111DBF0FC2E93)
- RevoUPort.exe (PID: 7036 cmdline:
"C:\Users\ user\Deskt op\RevoUPo rt.exe" /l oad MD5: 2F814A927D097A09911111DBF0FC2E93)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
There are no malicious signatures, click here to show all signatures.
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Static PE information: | ||
| Source: | Code function: | 0_2_00404BE2 | |
| Source: | Static PE information: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Command line argument: | 0_2_00401090 | |
| Source: | Command line argument: | 0_2_00401090 | |
| Source: | Command line argument: | 0_2_00402F30 | |
| Source: | Joe Sandbox Cloud Basic: | Perma Link | ||
| Source: | Static PE information: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Code function: | 0_2_00403313 | |
| Source: | Code function: | 0_2_004027A8 | |
| Source: | Evasive API call chain: | graph_0-3240 | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_00403313 | |
| Source: | Code function: | 0_2_004011CF | |
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Code function: | 0_2_004014D6 | |
| Source: | Code function: | 0_2_004052FB | |
| Source: | Code function: | 0_2_004011CF | |
| Source: | Code function: | 0_2_00402BE2 | |
| Source: | Code function: | 0_2_00406C1A | |
| Source: | Code function: | 0_2_0040293C | |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact | Resource Development | Reconnaissance |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Command and Scripting Interpreter | Path Interception | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 1 Encrypted Channel | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Abuse Accessibility Features | Acquire Infrastructure | Gather Victim Identity Information |
| Default Accounts | 2 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 1 Obfuscated Files or Information | LSASS Memory | 1 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | SIM Card Swap | Obtain Device Cloud Backups | Network Denial of Service | Domains | Credentials |
| Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | 12 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Data Encrypted for Impact | DNS Server | Email Addresses |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 3% | ReversingLabs |
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No contacted domains info
⊘No contacted IP infos
| Joe Sandbox Version: | 38.0.0 Ammolite |
| Analysis ID: | 1341997 |
| Start date and time: | 2023-11-13 22:19:35 +01:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 2m 4s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
| Run name: | Cmdline fuzzy |
| Number of analysed new started processes analysed: | 3 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Sample file name: | RevoUPort.exe |
| Detection: | CLEAN |
| Classification: | clean4.winEXE@3/0@0/0 |
| EGA Information: |
|
| HCA Information: |
|
| Cookbook Comments: |
|
- VT rate limit hit for: RevoUP
ort.exe
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 6.8572569042608205 |
| TrID: |
|
| File name: | RevoUPort.exe |
| File size: | 205'440 bytes |
| MD5: | 2f814a927d097a09911111dbf0fc2e93 |
| SHA1: | 8e4e953c60653a333182320345209765695d4e17 |
| SHA256: | ef70640d701bf406f7008c9ef7dc594019c063e4436415c97033f0a998697edf |
| SHA512: | d57fa5fdd2ce0ed148e43814420103e0e340862d6a9c35714ede6fa059dad0b63963b790824cbc126535b97c23f2fd560eb0891050fc0f3996a30c7ee8e99619 |
| SSDEEP: | 3072:0kLnAdeRbvAZpoKIIn9xg//XHTfq2M0W30L/OHQ4HFs3qMGrfv8Th:3LAoYZCIn9SzsFwWqh |
| TLSH: | 5314CF47BB60D836C816AE715DF2CC9A6A79BC203FA14D5B310DB2368B317877C1A25D |
| File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Df................L.......].......K.L...'...........N.....B......U\.......Y.....Rich............................PE..L...0..\... |
 | |
| Icon Hash: | 3f7b3cbc6465716d |
| Entrypoint: | 0x401384 |
| Entrypoint Section: | .text |
| Digitally signed: | true |
| Imagebase: | 0x400000 |
| Subsystem: | windows gui |
| Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
| DLL Characteristics: | TERMINAL_SERVER_AWARE |
| Time Stamp: | 0x5C111530 [Wed Dec 12 14:03:28 2018 UTC] |
| TLS Callbacks: | |
| CLR (.Net) Version: | |
| OS Version Major: | 5 |
| OS Version Minor: | 0 |
| File Version Major: | 5 |
| File Version Minor: | 0 |
| Subsystem Version Major: | 5 |
| Subsystem Version Minor: | 0 |
| Import Hash: | f1701f0b31fe827683fdfb65eb40b138 |
| Signature Valid: | true |
| Signature Issuer: | CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US |
| Signature Validation Error: | The operation completed successfully |
| Error Number: | 0 |
| Not Before, Not After |
|
| Subject Chain |
|
| Version: | 3 |
| Thumbprint MD5: | D4392CF7A0F073AB178B1586CD546135 |
| Thumbprint SHA-1: | E0504D965BF65DC63E8A2DA7328A392EA3D6641E |
| Thumbprint SHA-256: | A1658A33836B151EF0A2784F29A6BD8180B0E4F6E3385596942BEC2FFF71A676 |
| Serial: | 0D7AAE3B360869A3BA28BD7D1FD0B8F6 |
| Instruction |
|---|
| call 00007F57C0F09308h |
| jmp 00007F57C0F07BCEh |
| mov edi, edi |
| push ebp |
| mov ebp, esp |
| sub esp, 00000328h |
| mov dword ptr [0040AD58h], eax |
| mov dword ptr [0040AD54h], ecx |
| mov dword ptr [0040AD50h], edx |
| mov dword ptr [0040AD4Ch], ebx |
| mov dword ptr [0040AD48h], esi |
| mov dword ptr [0040AD44h], edi |
| mov word ptr [0040AD70h], ss |
| mov word ptr [0040AD64h], cs |
| mov word ptr [0040AD40h], ds |
| mov word ptr [0040AD3Ch], es |
| mov word ptr [0040AD38h], fs |
| mov word ptr [0040AD34h], gs |
| pushfd |
| pop dword ptr [0040AD68h] |
| mov eax, dword ptr [ebp+00h] |
| mov dword ptr [0040AD5Ch], eax |
| mov eax, dword ptr [ebp+04h] |
| mov dword ptr [0040AD60h], eax |
| lea eax, dword ptr [ebp+08h] |
| mov dword ptr [0040AD6Ch], eax |
| mov eax, dword ptr [ebp-00000320h] |
| mov dword ptr [0040ACA8h], 00010001h |
| mov eax, dword ptr [0040AD60h] |
| mov dword ptr [0040AC5Ch], eax |
| mov dword ptr [0040AC50h], C0000409h |
| mov dword ptr [0040AC54h], 00000001h |
| mov eax, dword ptr [0040A004h] |
| mov dword ptr [ebp-00000328h], eax |
| mov eax, dword ptr [0040A008h] |
| mov dword ptr [ebp-00000324h], eax |
| call dword ptr [00000028h] |
| Programming Language: |
|
| Name | Virtual Address | Virtual Size | Is in Section |
|---|---|---|---|
| IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IMPORT | 0x9624 | 0x3c | .rdata |
| IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc000 | 0x25208 | .rsrc |
| IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_SECURITY | 0x2e600 | 0x3c80 | |
| IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_DEBUG | 0x8130 | 0x1c | .rdata |
| IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x92d0 | 0x40 | .rdata |
| IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0x100 | .rdata |
| IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
| IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
| Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
|---|---|---|---|---|---|---|---|---|
| .text | 0x1000 | 0x62d4 | 0x6400 | False | 0.6128125 | data | 6.577573430174636 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
| .rdata | 0x8000 | 0x1bec | 0x1c00 | False | 0.3627232142857143 | data | 5.530177957664494 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| .data | 0xa000 | 0x18dc | 0xe00 | False | 0.220703125 | firmware 1200 v0 (revision 948256768) N\346@\273\261\031\277D\ |\206@ V2, version 8704.0.49281 (region 318767104), 4102242304 bytes or less, UNKNOWN1 0x13000000, UNKNOWN2 0xac844000, UNKNOWN3 0x1c000000, at 0x1f000000 2424520704 bytes , at 0x20000000 1484996608 bytes , at 0x21000000 1619148800 bytes | 2.301389499466089 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
| .rsrc | 0xc000 | 0x25208 | 0x25400 | False | 0.6203400272651006 | data | 6.794793308550795 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
| Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
|---|---|---|---|---|---|---|
| RT_ICON | 0xc340 | 0xc301 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States | 0.9996995252498948 |
| RT_ICON | 0x18644 | 0x10828 | Device independent bitmap graphic, 128 x 256 x 32, image size 67584 | English | United States | 0.38365077487282623 |
| RT_ICON | 0x28e6c | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16896 | English | United States | 0.5286372224846481 |
| RT_ICON | 0x2d094 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9600 | English | United States | 0.5776970954356846 |
| RT_ICON | 0x2f63c | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4224 | English | United States | 0.7035647279549718 |
| RT_ICON | 0x306e4 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1088 | English | United States | 0.8430851063829787 |
| RT_MENU | 0x30b4c | 0x4a | data | English | United States | 0.8648648648648649 |
| RT_DIALOG | 0x30b98 | 0x170 | data | English | United States | 0.5978260869565217 |
| RT_STRING | 0x30d08 | 0x44 | data | English | United States | 0.6323529411764706 |
| RT_ACCELERATOR | 0x30d4c | 0x10 | data | English | United States | 1.25 |
| RT_GROUP_ICON | 0x30d5c | 0x5a | data | English | United States | 0.7666666666666667 |
| RT_VERSION | 0x30db8 | 0x2e8 | data | Bulgarian | Bulgaria | 0.4583333333333333 |
| RT_MANIFEST | 0x310a0 | 0x165 | ASCII text, with CRLF line terminators | English | United States | 0.5434173669467787 |
| DLL | Import |
|---|---|
| SHLWAPI.dll | PathQuoteSpacesW, PathRemoveFileSpecW |
| KERNEL32.dll | VirtualFree, GetModuleFileNameW, IsWow64Process, GetCurrentProcess, CreateProcessW, CloseHandle, GetStartupInfoW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, HeapCreate, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, VirtualAlloc, HeapReAlloc, RtlUnwind, HeapSize, GetLocaleInfoA, WideCharToMultiByte, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW |
| Language of compilation system | Country where language is spoken | Map |
|---|---|---|
| English | United States |  |
| Bulgarian | Bulgaria |  |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
Click to jump to process
| Target ID: | 0 |
| Start time: | 22:20:21 |
| Start date: | 13/11/2023 |
| Path: | C:\Users\user\Desktop\RevoUPort.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 205'440 bytes |
| MD5 hash: | 2F814A927D097A09911111DBF0FC2E93 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 1 |
| Start time: | 22:20:23 |
| Start date: | 13/11/2023 |
| Path: | C:\Users\user\Desktop\RevoUPort.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 205'440 bytes |
| MD5 hash: | 2F814A927D097A09911111DBF0FC2E93 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
| Target ID: | 2 |
| Start time: | 22:20:25 |
| Start date: | 13/11/2023 |
| Path: | C:\Users\user\Desktop\RevoUPort.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x400000 |
| File size: | 205'440 bytes |
| MD5 hash: | 2F814A927D097A09911111DBF0FC2E93 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | low |
| Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
| Execution Coverage: | 7.9% |
| Dynamic/Decrypted Code Coverage: | 0% |
| Signature Coverage: | 6.4% |
| Total number of Nodes: | 1043 |
| Total number of Limit Nodes: | 33 |
Graph
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
Control-flow Graph
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
Control-flow Graph
| APIs |
|
| Strings |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
Download Yara Rule
| APIs |
|
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
| APIs |
| Memory Dump Source |
|
|
| Joe Sandbox IDA Plugin |
|
| Similarity |
|
| Uniqueness |
Uniqueness Score: -1.00% |
