Overview

overview

10

Static

static

bf34977eea...9b.exe

windows7_x64

10

bf34977eea...9b.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    174s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    08-02-2022 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf34977eea90dc8bd7b5269b47ab2a49cdc0a63276171dffadd91936ba26bd9b.exe

  • Size

    410KB

  • MD5

    67e0931fe20e34f2afa338cedfa66748

  • SHA1

    1123279edbeca2d1eba565e57edf1ac2f19f056e

  • SHA256

    bf34977eea90dc8bd7b5269b47ab2a49cdc0a63276171dffadd91936ba26bd9b

  • SHA512

    f03396efa39bf92cb713df3fe94510b42ad2ab709efb4957d6e0ebca56d46b14c9cda063a7fb4b39bdbe1587ade5ed22b881864be5ec93dafbe103e28964f599

Score
10/10
revengeratstealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 2 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf34977eea90dc8bd7b5269b47ab2a49cdc0a63276171dffadd91936ba26bd9b.exe
    "C:\Users\Admin\AppData\Local\Temp\bf34977eea90dc8bd7b5269b47ab2a49cdc0a63276171dffadd91936ba26bd9b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\356B.tmp\35CA.bat C:\Users\Admin\AppData\Local\Temp\1.exe"
        3⤵
          PID:992
      • C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3548
        • C:\Windows\SysWOW64\fondue.exe
          "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3272
          • C:\Windows\system32\FonDUE.EXE
            "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
            4⤵
              PID:3496
      • C:\Windows\system32\MusNotifyIcon.exe
        %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
        1⤵
        • Checks processor information in registry
        PID:3796
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -p
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:2264
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2576

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1.exe
        MD5

        a3fac04d2b602593e891fe8ed94ae41e

        SHA1

        147ca2b095939fa754a7dd7501f08c3c3c814cc5

        SHA256

        4aea50c98f1f732e37ce483073573023fe0f032394958a0dd80ab6464c69af71

        SHA512

        20671feb188de7ee0adf949aead4dd96230eb45017acfd6f18142dc726d08c817ee9e55941892f22e2c6a3eb1aa6b396dd2374ec1b8f5ad87970fdca5ecca859

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1.exe
        MD5

        a3fac04d2b602593e891fe8ed94ae41e

        SHA1

        147ca2b095939fa754a7dd7501f08c3c3c814cc5

        SHA256

        4aea50c98f1f732e37ce483073573023fe0f032394958a0dd80ab6464c69af71

        SHA512

        20671feb188de7ee0adf949aead4dd96230eb45017acfd6f18142dc726d08c817ee9e55941892f22e2c6a3eb1aa6b396dd2374ec1b8f5ad87970fdca5ecca859

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\356B.tmp\35CA.bat
        MD5

        333da68f3a2be23a4c9c6ea70567b59c

        SHA1

        912013ba40764b9e44dd0d2bf3e80aed9f1e74ea

        SHA256

        8f17fc9b10ef14a8b0674df229d299b82e069740e3eb11ed88d7428bfcde4a46

        SHA512

        dad3f5ec620c0387850328913367ff61bcd44b6c5df4523fa88fa65467f22a9888ff1316beb15e3ae59606a5ad804d328ef227b9fed8db32576adbf47b0a076e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        MD5

        3b3ad8bd549b9281d23e2a389f8d4612

        SHA1

        25bb6cb9f1e2c8d51b03f46e611955ae4c43b5eb

        SHA256

        52a161b50e1d5287dd740d5f4c962b9a654eb632ed4b98fc85378ca72d1a21ff

        SHA512

        17157688ff48d3d26b23a8fc2b158ab28b74a453e8a54a536c3b4c6d01689addb0394a68ff4986b7448bc9fa5072cae22690637f127092b5696bd3a76f2424b2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        MD5

        3b3ad8bd549b9281d23e2a389f8d4612

        SHA1

        25bb6cb9f1e2c8d51b03f46e611955ae4c43b5eb

        SHA256

        52a161b50e1d5287dd740d5f4c962b9a654eb632ed4b98fc85378ca72d1a21ff

        SHA512

        17157688ff48d3d26b23a8fc2b158ab28b74a453e8a54a536c3b4c6d01689addb0394a68ff4986b7448bc9fa5072cae22690637f127092b5696bd3a76f2424b2

        Download Submit