Overview

overview

10

Static

static

44b6bea1d0...ae8.js

windows7_x64

10

44b6bea1d0...ae8.js

windows10-2004_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    01-02-2022 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44b6bea1d0693d6c08b3a9c10f06c58bafc4bc43460b4416c213844fe287bae8.js

  • Size

    1.9MB

  • MD5

    4e713b040bd5fcf38533c4fbab817a0a

  • SHA1

    d35eb5ca2ca01f2aaac9dc4357743fdca3682738

  • SHA256

    44b6bea1d0693d6c08b3a9c10f06c58bafc4bc43460b4416c213844fe287bae8

  • SHA512

    8658b2c7b95a36512d1b26bd4e32090101519d18e2aa399d7d6a70da7ec2e17f3ad1f03787d83157eb8ffc95ffa4872241bdb387f2c8d5e7189d2ecfb59e8d04

Score
10/10
revengeratpersistencestealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 2 IoCs
    stealer
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\44b6bea1d0693d6c08b3a9c10f06c58bafc4bc43460b4416c213844fe287bae8.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4084
    • C:\Users\Admin\AppData\Local\Temp\5849077810000000.exe
      "C:\Users\Admin\AppData\Local\Temp\5849077810000000.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\system32\fondue.exe
        "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        3⤵
          PID:4840
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe db8562d26d73b407185b11062f665067 ZaF5+7XqpEqckbHRBUmEGQ.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:4160
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4896

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5849077810000000.exe
      MD5

      53d4d4cc977362c09fd466bb676567c8

      SHA1

      721ca63682c4a34c86585f80eceead43f20e10f3

      SHA256

      5e94b03664c3674f3eab1e750ffde61d3d21d938ec0ce21f6f64bc9362aeb084

      SHA512

      e9ab6bb64ad9c576e9eb66331ef4546d54d1cf31f5250e87683f1a887bda5acf09ed39707eef89e6135ffc8b41da451e59d590da325dcd23e9a16af338475df1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\5849077810000000.exe
      MD5

      53d4d4cc977362c09fd466bb676567c8

      SHA1

      721ca63682c4a34c86585f80eceead43f20e10f3

      SHA256

      5e94b03664c3674f3eab1e750ffde61d3d21d938ec0ce21f6f64bc9362aeb084

      SHA512

      e9ab6bb64ad9c576e9eb66331ef4546d54d1cf31f5250e87683f1a887bda5acf09ed39707eef89e6135ffc8b41da451e59d590da325dcd23e9a16af338475df1

      Download Submit

    • memory/4896-132-0x00000236C03A0000-0x00000236C03B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4896-139-0x00000236C3020000-0x00000236C3024000-memory.dmp

      Filesize

      16KB

      Download