Overview

overview

10

Static

static

10

ZCgngKMK.exe

windows7_x64

10

ZCgngKMK.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-12-2020 13:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZCgngKMK.exe

  • Size

    27KB

  • MD5

    038265381c07bdfe9e316ee37300deaa

  • SHA1

    3acf06557ebe350907ce0ffbe21679e4a1cbb9b3

  • SHA256

    db5eb754fff22b0478702d838e7b0e4d7285e8859a4bcf6fe1288ca83ff16a8b

  • SHA512

    e83bee3420124a2ff829464b926c86f35736e51fae0baafeb18bbd253df7135bf661a951859dc857807f76f0fa7bd33bc79bc2a9a1f6e8ab687afa8b4f86692f

Score
10/10
revengeratgueststealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

Rigisterio-37154.portmap.host:37154

Mutex

RV_MUTEX-DCGRFbTXZMONF

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 2 IoCs
    stealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZCgngKMK.exe
    "C:\Users\Admin\AppData\Local\Temp\ZCgngKMK.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        3⤵
          PID:1620

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\efhaRClgZb.txt
      MD5

      59e8dcec718066df1df3a98129c64430

      SHA1

      1cd033948ed1bcf22b1a06f61870f3a6a73f8bba

      SHA256

      a34e428ed556ce06234a310f1cca864fc13abc7f5b07fb534a760d039a43c276

      SHA512

      38f84f13ca89e9190089aa4d8415026e5b6dbed6aae95c43ee9e70d53efaa58dd0e583c04c9e73802418aa5d80f771395299420506a2a464a64dbc4b0b79a464

      Download Submit
    • memory/1620-5-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1620-6-0x0000000000406BDE-mapping.dmp
      Download
    • memory/1628-2-0x00007FF820810000-0x00007FF8211B0000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/3980-3-0x0000000000400000-0x000000000040C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3980-4-0x0000000000407B0E-mapping.dmp
      Download