revengerat | f2144d80f6316ad2fc3d92b1371e6b10fc620ddf38dc3d231a307627bad15b71

Analysis

max time kernel
137s
max time network
145s
platform
windows7_x64
resource
win7v20210410
submitted
02-06-2021 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Docs draft comfirm.exe
Size

634KB
MD5

06b489cf55e5fb333ae93d27b8cfc520
SHA1

1d6657688be52c19e80bf600e669b83380418c28
SHA256

f2144d80f6316ad2fc3d92b1371e6b10fc620ddf38dc3d231a307627bad15b71
SHA512

ce4f269964a19722b29e295a5ee5cb4dac0aca5522e3bb9c82e19970a489015e20104bcd78b5f9cd47cf84aceae7b36715095a07352984158f685f8d41ff09a0

Score

10^/10

revengerat evapimp trojan

Malware Config

Extracted

Family

revengerat

Botnet

EVAPIMP

canarybeachhotel.sa:2028

Mutex

RV_MUTEX-QD45QIW83Y0M3H43IAX1P6

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

Docs draft comfirm.exe

description pid process target process

PID 1200 set thread context of 1604 1200 Docs draft comfirm.exe Docs draft comfirm.exe

description	pid	process	target process
PID 1200 set thread context of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Docs draft comfirm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Docs draft comfirm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\ProcessorNameString	Docs draft comfirm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Docs draft comfirm.exe

description	pid	process	target process
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 1200 wrote to memory of 1604	1200	Docs draft comfirm.exe	Docs draft comfirm.exe

C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe
"C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe
"C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe"
2⤵
- Checks processor information in registry
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-60-0x00000000768B1000-0x00000000768B3000-memory.dmp

Filesize
8KB

Download
memory/1200-61-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1200-65-0x0000000000361000-0x0000000000362000-memory.dmp

Filesize
4KB

Download
memory/1604-63-0x000000000040687E-mapping.dmp

Download
memory/1604-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1604-66-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download