Analysis
-
max time kernel
75s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-12-2020 16:18
Static task
static1
Behavioral task
behavioral1
Sample
xuhHcXaf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
xuhHcXaf.exe
Resource
win10v20201028
General
-
Target
xuhHcXaf.exe
-
Size
17KB
-
MD5
c27671f8918a8dab7a62d5cb2610a84a
-
SHA1
5374d090cca0730bb48e1308c87ba1eb33d7474e
-
SHA256
ce33e156cf93f70c1e265b51a623a040c42d54c90af89d701c55c4ecdb33e203
-
SHA512
0be78696c1924b9db2a88f2ad4fdd24cfe476a57561a03172ba845ddd8ca4d7e47f38f2083dff33a0a0e98ca4fcf5fe9b4bb8623600cd8c277decc89921ddd46
Malware Config
Extracted
revengerat
figaro
185.204.1.236:3312
RV_MUTEX-mheVqDyMpzZJHOw
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 268 svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
xuhHcXaf.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString xuhHcXaf.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 xuhHcXaf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xuhHcXaf.exesvchost.exedescription pid process Token: SeDebugPrivilege 1824 xuhHcXaf.exe Token: SeDebugPrivilege 268 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
xuhHcXaf.exedescription pid process target process PID 1824 wrote to memory of 268 1824 xuhHcXaf.exe svchost.exe PID 1824 wrote to memory of 268 1824 xuhHcXaf.exe svchost.exe PID 1824 wrote to memory of 268 1824 xuhHcXaf.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xuhHcXaf.exe"C:\Users\Admin\AppData\Local\Temp\xuhHcXaf.exe"1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeMD5
c27671f8918a8dab7a62d5cb2610a84a
SHA15374d090cca0730bb48e1308c87ba1eb33d7474e
SHA256ce33e156cf93f70c1e265b51a623a040c42d54c90af89d701c55c4ecdb33e203
SHA5120be78696c1924b9db2a88f2ad4fdd24cfe476a57561a03172ba845ddd8ca4d7e47f38f2083dff33a0a0e98ca4fcf5fe9b4bb8623600cd8c277decc89921ddd46
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeMD5
c27671f8918a8dab7a62d5cb2610a84a
SHA15374d090cca0730bb48e1308c87ba1eb33d7474e
SHA256ce33e156cf93f70c1e265b51a623a040c42d54c90af89d701c55c4ecdb33e203
SHA5120be78696c1924b9db2a88f2ad4fdd24cfe476a57561a03172ba845ddd8ca4d7e47f38f2083dff33a0a0e98ca4fcf5fe9b4bb8623600cd8c277decc89921ddd46
-
memory/268-4-0x0000000000000000-mapping.dmp
-
memory/268-7-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmpFilesize
9.6MB
-
memory/268-8-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmpFilesize
9.6MB
-
memory/1824-2-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmpFilesize
9.6MB
-
memory/1824-3-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmpFilesize
9.6MB