Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:27
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v20201028
General
-
Target
file.exe
-
Size
17KB
-
MD5
bd86b3d43f45a0dc0ff6f9557a2fa13f
-
SHA1
1ab9d082c409e6b5e956973e540cdc5cbe5e4160
-
SHA256
291bf31470c9bcacec467c980adb7a3d111ebb6b72cf07147884a7eae5cabde9
-
SHA512
058c70d976a8c6fdb363d2b3990f68acb35eb928cbfc5742ade6f5334e26039acbb171de4ec5250375012983c2659133a053a2b63fdc63a749356c016cd84dde
Malware Config
Extracted
revengerat
Guest
192.168.234.157:4444
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Client.exe revengerat C:\Users\Admin\AppData\Roaming\Client.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 1828 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exeClient.exedescription pid process Token: SeDebugPrivilege 1408 file.exe Token: SeDebugPrivilege 1828 Client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
file.exedescription pid process target process PID 1408 wrote to memory of 1828 1408 file.exe Client.exe PID 1408 wrote to memory of 1828 1408 file.exe Client.exe PID 1408 wrote to memory of 1828 1408 file.exe Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Client.exeMD5
bd86b3d43f45a0dc0ff6f9557a2fa13f
SHA11ab9d082c409e6b5e956973e540cdc5cbe5e4160
SHA256291bf31470c9bcacec467c980adb7a3d111ebb6b72cf07147884a7eae5cabde9
SHA512058c70d976a8c6fdb363d2b3990f68acb35eb928cbfc5742ade6f5334e26039acbb171de4ec5250375012983c2659133a053a2b63fdc63a749356c016cd84dde
-
C:\Users\Admin\AppData\Roaming\Client.exeMD5
bd86b3d43f45a0dc0ff6f9557a2fa13f
SHA11ab9d082c409e6b5e956973e540cdc5cbe5e4160
SHA256291bf31470c9bcacec467c980adb7a3d111ebb6b72cf07147884a7eae5cabde9
SHA512058c70d976a8c6fdb363d2b3990f68acb35eb928cbfc5742ade6f5334e26039acbb171de4ec5250375012983c2659133a053a2b63fdc63a749356c016cd84dde
-
memory/1408-0-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1408-1-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1828-2-0x0000000000000000-mapping.dmp
-
memory/1828-5-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB
-
memory/1828-6-0x000007FEF5CE0000-0x000007FEF667D000-memory.dmpFilesize
9.6MB