Analysis
-
max time kernel
144s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-12-2020 16:03
General
-
Target
43SjNv5s.exe
-
Size
21KB
-
MD5
aa9f37ce187d4b4556807f49f57ca678
-
SHA1
d4c05259f35840e96232bc41e1bd14defc73988f
-
SHA256
ae53e7a0d59686d3684ed1e14bfee649f53a5fd369090d916a81f74091368b65
-
SHA512
1f0aed05bc5574f62f8cfe3bf586390dd98e25593f17b8178029fdbdaa96d819de758f0dbdc65ef2163478def9caeb0ac9fb4689c04e71156c4967496a965baa
Score
10/10
Malware Config
Extracted
Family
revengerat
Botnet
Guest
C2
4.tcp.ngrok.io:13284
Mutex
RV_MUTEX-sawrHJfWfhaRClg
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of WriteProcessMemory 223 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\43SjNv5s.exe"C:\Users\Admin\AppData\Local\Temp\43SjNv5s.exe"1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll.exe"C:\Windows\system32\rundll.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6256e00,0x7fef6256e10,0x7fef6256e202⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1196,6375879777140841863,5569356083714917920,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1204 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1196,6375879777140841863,5569356083714917920,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1260 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1196,6375879777140841863,5569356083714917920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1768 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1196,6375879777140841863,5569356083714917920,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1196,6375879777140841863,5569356083714917920,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1196,6375879777140841863,5569356083714917920,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1196,6375879777140841863,5569356083714917920,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:12⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
a018039e4dc8e50d0344ab5a487bbf4f
SHA1d41bcc16f13c6e490208a45a4fe109a694577bd9
SHA2563563704533f3611fede932472231e143dc21cca6bba31dd65bfedb719f97ffec
SHA512769614cbe9c64773e50661eb9ff5f4b27d235b3ac5c0008258eea37fee51e4fcc789554c0f2c1804778182dbf808fbea191ca3a28a71d0ad7ec279901cdde05e
-
C:\Windows\System32\rundll.exeMD5
aa9f37ce187d4b4556807f49f57ca678
SHA1d4c05259f35840e96232bc41e1bd14defc73988f
SHA256ae53e7a0d59686d3684ed1e14bfee649f53a5fd369090d916a81f74091368b65
SHA5121f0aed05bc5574f62f8cfe3bf586390dd98e25593f17b8178029fdbdaa96d819de758f0dbdc65ef2163478def9caeb0ac9fb4689c04e71156c4967496a965baa
-
C:\Windows\system32\rundll.exeMD5
aa9f37ce187d4b4556807f49f57ca678
SHA1d4c05259f35840e96232bc41e1bd14defc73988f
SHA256ae53e7a0d59686d3684ed1e14bfee649f53a5fd369090d916a81f74091368b65
SHA5121f0aed05bc5574f62f8cfe3bf586390dd98e25593f17b8178029fdbdaa96d819de758f0dbdc65ef2163478def9caeb0ac9fb4689c04e71156c4967496a965baa
-
\??\pipe\crashpad_1096_OBYBCENGIGQZQVITMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/596-6-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/596-7-0x000000013FC03F60-0x000000013FC04020-memory.dmpFilesize
192B
-
memory/596-10-0x0000000000000000-mapping.dmp
-
memory/596-11-0x0000000076F60000-0x0000000076F61000-memory.dmpFilesize
4KB
-
memory/1160-92-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-103-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-104-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-105-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-34-0x0000000000000000-mapping.dmp
-
memory/1160-106-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-42-0x0000015000040000-0x0000015000041000-memory.dmpFilesize
4KB
-
memory/1160-45-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-47-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-46-0x000000000A290000-0x000000000A2A1000-memory.dmpFilesize
68KB
-
memory/1160-49-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-48-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-107-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-108-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-109-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-110-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-111-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-112-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-113-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-114-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-115-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-116-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-117-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-118-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-119-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-120-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-121-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-122-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-123-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-124-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-125-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-126-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-127-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-128-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-129-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-130-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-131-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-132-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-133-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-134-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-135-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-136-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-137-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-138-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-139-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-140-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1160-141-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-60-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-70-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-91-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-89-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-93-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-94-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-95-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-96-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-97-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-98-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-99-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-100-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-101-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-88-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-87-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-26-0x0000000000000000-mapping.dmp
-
memory/1336-85-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-84-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-52-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-81-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-80-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-78-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-77-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-76-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-75-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-74-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-73-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-72-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-71-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-90-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-69-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-68-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-67-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-66-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-65-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-64-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-63-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-62-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-61-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-53-0x0000000009B50000-0x0000000009B61000-memory.dmpFilesize
68KB
-
memory/1336-59-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-58-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-57-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-56-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-55-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1336-54-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1484-18-0x0000000000000000-mapping.dmp
-
memory/1548-12-0x0000000000000000-mapping.dmp
-
memory/1580-82-0x00000000083C0000-0x00000000083D1000-memory.dmpFilesize
68KB
-
memory/1580-43-0x0000000000000000-mapping.dmp
-
memory/1580-86-0x0000000000080000-0x00000000000800B0-memory.dmpFilesize
176B
-
memory/1668-2-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/1668-3-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/1864-4-0x0000000000000000-mapping.dmp
-
memory/2780-143-0x0000000000000000-mapping.dmp
-
memory/2780-146-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB
-
memory/2780-147-0x000007FEF51D0000-0x000007FEF5B6D000-memory.dmpFilesize
9.6MB