Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    07-06-2021 05:41

General

  • Target

    Swift MT103 & Bank Details,pdf.exe

  • Size

    783KB

  • MD5

    c7b6950fc14795d0c9df548d62ccbf78

  • SHA1

    5c8bd970726639a931d011123c7dd7cb3bb91352

  • SHA256

    f24016eadd5ac1e6ce3822d0ffb92459e9455fcf15fa93703e5cddb34151ad98

  • SHA512

    e033ee11b5fabe72f9cbf11b9af8b701300ee4d6955ce1b6a72b25fcdcf29149e4d1d2e370a53d75a4180ece064d383f1622f141123abdeed8017e01b6c34009

Malware Config

Extracted

Family

revengerat

Botnet

BILLION

C2

rej.rejgroups.com:4040

Mutex

RV_MUTEX-Y6F7MMH6M66HDLJMYP6B6P

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:360
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dquwpruzUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBEC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:732
    • C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
      2⤵
      • Checks processor information in registry
      PID:1548

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/360-59-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

    Filesize

    4KB

  • memory/1548-62-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/1548-64-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/1548-66-0x00000000047D0000-0x00000000047D1000-memory.dmp

    Filesize

    4KB