Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07-06-2021 05:41
Static task
static1
Behavioral task
behavioral1
Sample
Swift MT103 & Bank Details,pdf.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Swift MT103 & Bank Details,pdf.exe
Resource
win10v20210410
General
-
Target
Swift MT103 & Bank Details,pdf.exe
-
Size
783KB
-
MD5
c7b6950fc14795d0c9df548d62ccbf78
-
SHA1
5c8bd970726639a931d011123c7dd7cb3bb91352
-
SHA256
f24016eadd5ac1e6ce3822d0ffb92459e9455fcf15fa93703e5cddb34151ad98
-
SHA512
e033ee11b5fabe72f9cbf11b9af8b701300ee4d6955ce1b6a72b25fcdcf29149e4d1d2e370a53d75a4180ece064d383f1622f141123abdeed8017e01b6c34009
Malware Config
Extracted
revengerat
BILLION
rej.rejgroups.com:4040
RV_MUTEX-Y6F7MMH6M66HDLJMYP6B6P
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 360 set thread context of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 Swift MT103 & Bank Details,pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\ProcessorNameString Swift MT103 & Bank Details,pdf.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 732 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 360 Swift MT103 & Bank Details,pdf.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 360 wrote to memory of 732 360 Swift MT103 & Bank Details,pdf.exe 29 PID 360 wrote to memory of 732 360 Swift MT103 & Bank Details,pdf.exe 29 PID 360 wrote to memory of 732 360 Swift MT103 & Bank Details,pdf.exe 29 PID 360 wrote to memory of 732 360 Swift MT103 & Bank Details,pdf.exe 29 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31 PID 360 wrote to memory of 1548 360 Swift MT103 & Bank Details,pdf.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dquwpruzUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBEC.tmp"2⤵
- Creates scheduled task(s)
PID:732
-
-
C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"2⤵
- Checks processor information in registry
PID:1548
-