General
-
Target
99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee
-
Size
135KB
-
Sample
220219-kzabpaabc5
-
MD5
ee2fb6446ec3ac180286e25365b202b3
-
SHA1
6bd0bf5b4d0cea86979de7d5b78937c2ff4ee778
-
SHA256
99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee
-
SHA512
8e33769206cb7cb5a2655cdc18fba9087bdbfff0de4637d85d5837b36c529ddfb1b69c7424c7d18e38cb8ac106133c9cac2178abc50b8a119f7ae456bac2de27
Malware Config
Extracted
https://pastebin.com/raw/3mS4sRnV
Extracted
revengerat
Client
kimjoy.ddns.net:2021
RXQLV8XYTDNHNSA
Targets
-
-
Target
99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee
-
Size
135KB
-
MD5
ee2fb6446ec3ac180286e25365b202b3
-
SHA1
6bd0bf5b4d0cea86979de7d5b78937c2ff4ee778
-
SHA256
99b9e3b1e096a9e19fbf0eabc7d414045121dc10a2cd825eea5b2ee3465621ee
-
SHA512
8e33769206cb7cb5a2655cdc18fba9087bdbfff0de4637d85d5837b36c529ddfb1b69c7424c7d18e38cb8ac106133c9cac2178abc50b8a119f7ae456bac2de27
Score10/10-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-