Overview

overview

10

Static

static

8bf630162e...d5.exe

windows7_x64

10

8bf630162e...d5.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    165s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    15-02-2022 10:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8bf630162e5a475cba1e37f56353169e57083b39b6e7a47ff30f63d228ce9bd5.exe

  • Size

    252KB

  • MD5

    cddfcb26e8cf825911344503abeed368

  • SHA1

    d15ef21fe133d47b2305925acdf139bff417062e

  • SHA256

    8bf630162e5a475cba1e37f56353169e57083b39b6e7a47ff30f63d228ce9bd5

  • SHA512

    1d1b3e7701cf7d03079d677245980acb92eb1c23076ea2ff3325f4efdaac82cbd62efb0be436320fee2882e1830a34b77960c4cd9ed42bcaa1c159d008fba472

Score
10/10
revengeratnov333stealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Nov333

C2

80.82.68.21:3333

Mutex

RV_MUTEX-FtNHuiGGjjtnxDp

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Beds Protector Packer 1 IoCs

    Detects Beds Protector packer used to load .NET malware.

  • RevengeRat Executable 3 IoCs
    stealer
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8bf630162e5a475cba1e37f56353169e57083b39b6e7a47ff30f63d228ce9bd5.exe
    "C:\Users\Admin\AppData\Local\Temp\8bf630162e5a475cba1e37f56353169e57083b39b6e7a47ff30f63d228ce9bd5.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1524
    • C:\Users\Admin\AppData\Local\Temp\8bf630162e5a475cba1e37f56353169e57083b39b6e7a47ff30f63d228ce9bd5.exe
      "C:\Users\Admin\AppData\Local\Temp\8bf630162e5a475cba1e37f56353169e57083b39b6e7a47ff30f63d228ce9bd5.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/852-59-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/852-60-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/852-61-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/852-62-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/852-63-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/852-65-0x00000000049C0000-0x00000000049C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/852-64-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1524-54-0x0000000000910000-0x0000000000954000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1524-55-0x0000000074A7E000-0x0000000074A7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1524-56-0x00000000004B0000-0x00000000004EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1524-57-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1524-58-0x00000000006F0000-0x00000000006F1000-memory.dmp

    Filesize

    4KB

    Download