Overview

overview

10

Static

static

f759299c25...b5.vbs

windows7_x64

3

f759299c25...b5.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f759299c255908d9dc75e0a65c7abd3598835c7e29c911f238a2df2b77703db5.vbs

  • Size

    162KB

  • MD5

    066033d8f2c588fbb53efe7eb7a320da

  • SHA1

    95466ba7d5566315e84b023f618926647c414a8c

  • SHA256

    f759299c255908d9dc75e0a65c7abd3598835c7e29c911f238a2df2b77703db5

  • SHA512

    4df815cb9e1777e6352af216ed34c9b0a9b4c8b0be1ff1e6d4ed67716eca4350dbcd354534f56eafcb894968d7fcd7340d918d71efaf843bdc403d9ebb00f2d0

Score
10/10
revengeratclienttrojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:6699

Mutex

S1NTYL5X286LOEH

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f759299c255908d9dc75e0a65c7abd3598835c7e29c911f238a2df2b77703db5.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EXECUTIONPOLICY remotesigned -fILe C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gg2c3cd5\gg2c3cd5.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1764
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5438.tmp" "c:\Users\Admin\AppData\Local\Temp\gg2c3cd5\CSC1F7F9D59D77444B7A14E7182E8749BCE.TMP"
          4⤵
            PID:984
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          3⤵
            PID:2212
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            3⤵
              PID:2468
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:3772

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\OS64Bits.PS1
          MD5

          59ef366b87424b895d42c829d7e409a5

          SHA1

          cca0c3bc1470b6daaf3178fac34bb44fa63d3c2d

          SHA256

          ba7b4d62901d894172cb0d2c36bed465943541e3e47fa4d182cb9c5c245350a9

          SHA512

          2b96b39bcd98b71bd28e19236a5568f279caf66661ca220cda33502d255b9906821e7170462258d8445180e9fcf29df8e8bf50bc25587977980c930458b9757d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES5438.tmp
          MD5

          bdfdeccae3f41c06f44850cb86d412c1

          SHA1

          b3d3c662b2d41ae39bde1db1f79de7c754034882

          SHA256

          e6dd4651331a91fe7c0f72905548d322ad4bff54eac6ab5d9f11f42ffad276fe

          SHA512

          332c950abd29a4a5d5314bc14b6ec870011c765b67568383a694052544cc9f7646383549928f1cb365e423ae232d0ea67cd8f977e8e3738872becb8f54ae5b30

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\gg2c3cd5\gg2c3cd5.dll
          MD5

          6c24e6e8228404cbce29c3f59a0e1d46

          SHA1

          0ead01d1e96064f6ddf12fe0bfb6f8fafe738bed

          SHA256

          25a8ac61f73593173b1d6610807d68a4d7c4c43d75ffd67e823dc06062027c55

          SHA512

          20ca84be8f3f8962100f9cd4bf893c675cb5a0d46c1df0d9df87f87e77f0d56d6d980c4756e6eca4a4ee0c839070bebc91fcf5c1e3fd3efcadf0626f4a0f2109

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gg2c3cd5\CSC1F7F9D59D77444B7A14E7182E8749BCE.TMP
          MD5

          980b0fe18d200bea5047d1bbde19d119

          SHA1

          acf356935c60859bf20e87b7b148f49d7e63044f

          SHA256

          89f0652cd941d0825cb0b71e339255886da7a5e291dc455991784929df8747f6

          SHA512

          16c1686fddc6965f3a27557d8570726e155e1d17213f53f5578f33426b14d367b6e3d8dc4113f0ed2345b9d12a55c9a872f968b0a979548c6a2ab7f6913ce52b

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gg2c3cd5\gg2c3cd5.0.cs
          MD5

          e03b1e7ba7f1a53a7e10c0fd9049f437

          SHA1

          3bb851a42717eeb588eb7deadfcd04c571c15f41

          SHA256

          3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

          SHA512

          a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\gg2c3cd5\gg2c3cd5.cmdline
          MD5

          ccb6e0e79aa9faf8d13d1d9cb508948a

          SHA1

          b714ba4233f045fa0786b913b0843ced539ed74f

          SHA256

          50a0764111c4ba00b9e5bffaaab2e14079ecc61b111863295001aafc4ce72dbf

          SHA512

          992cea0c1a3de1839c8e82f73a03b14573a11bc4f541f5e83a6cdb6be5ffad901f1fcc44435bd96c4cd1213914eb5de3facef9fe7e8e6b9c04fbaf644817aca7

          Download Submit

        • memory/2468-149-0x00000000052A0000-0x00000000052A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2468-148-0x00000000053B0000-0x000000000544C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2468-144-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2468-143-0x00000000057A0000-0x0000000005D44000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2468-142-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3772-145-0x000001A355F80000-0x000001A355F90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3772-146-0x000001A356520000-0x000001A356530000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3772-147-0x000001A358C00000-0x000001A358C04000-memory.dmp

          Filesize

          16KB

          Download

        • memory/3940-136-0x00000113BB766000-0x00000113BB768000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3940-135-0x00000113BB763000-0x00000113BB765000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3940-133-0x00007FF936F63000-0x00007FF936F65000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3940-130-0x00000113BB710000-0x00000113BB732000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3940-134-0x00000113BB760000-0x00000113BB762000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3940-132-0x00000113BDCE0000-0x00000113BDD56000-memory.dmp

          Filesize

          472KB

          Download