revengerat | f2144d80f6316ad2fc3d92b1371e6b10fc620ddf38dc3d231a307627bad15b71

Analysis

max time kernel
137s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
02-06-2021 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Docs draft comfirm.exe
Size

634KB
MD5

06b489cf55e5fb333ae93d27b8cfc520
SHA1

1d6657688be52c19e80bf600e669b83380418c28
SHA256

f2144d80f6316ad2fc3d92b1371e6b10fc620ddf38dc3d231a307627bad15b71
SHA512

ce4f269964a19722b29e295a5ee5cb4dac0aca5522e3bb9c82e19970a489015e20104bcd78b5f9cd47cf84aceae7b36715095a07352984158f685f8d41ff09a0

Score

10^/10

revengerat evapimp trojan

Malware Config

Extracted

Family

revengerat

Botnet

EVAPIMP

canarybeachhotel.sa:2028

Mutex

RV_MUTEX-QD45QIW83Y0M3H43IAX1P6

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2204 set thread context of 4012	2204	Docs draft comfirm.exe	80

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Docs draft comfirm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Docs draft comfirm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	Docs draft comfirm.exe
2204	Docs draft comfirm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	Docs draft comfirm.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3952	2204	Docs draft comfirm.exe	79
PID 2204 wrote to memory of 3952	2204	Docs draft comfirm.exe	79
PID 2204 wrote to memory of 3952	2204	Docs draft comfirm.exe	79
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	80
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	80
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	80
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	80
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	80
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	80
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	80
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	80

C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe
"C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe
  "C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe"
  2⤵
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe
  "C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe"
  2⤵
  - Checks processor information in registry
  PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-114-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/2204-115-0x00000000027D1000-0x00000000027D2000-memory.dmp

Filesize
4KB

Download
memory/4012-116-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4012-119-0x0000000000B00000-0x0000000000BAE000-memory.dmp

Filesize
696KB

Download