revengerat | 70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87 | Triage

Submit
Reports

Overview

overview

Static

static

70a50fac81...87.exe

windows7_x64

70a50fac81...87.exe

windows10-2004_x64

Sharing

General

Target

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87
Size

8.3MB
Sample

220315-t23wfsddh8
MD5

c25411c67aa30dbe53f157a411818426
SHA1

396ad9485cccba77f91a84b9d5b6356bb728d19b
SHA256

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87
SHA512

ad36da1c23602299696e5a44d3a193ff8c29be2e73708bbbded6ae321da8de1dbdfd204279153eb19c7505a3c3f80a7334f85b261ac039c8e6153120ec096121

Score

10^/10

revengerat guest stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe

Resource

win7-20220311-en

revengerat guest stealer trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87.exe

Resource

win10v2004-20220310-en

revengerat guest stealer trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://www.minpic.de/k/b7d6/44dea/

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.minpic.de/k/b7d4/1jepll/

Extracted

Family

revengerat

Botnet

Guest

C2

185.25.50.196:64537

Mutex

RV_MUTEX-pnFwUnoWrUUgHRH

Targets

- Target
  
  70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87
- Size
  
  8.3MB
- MD5
  
  c25411c67aa30dbe53f157a411818426
- SHA1
  
  396ad9485cccba77f91a84b9d5b6356bb728d19b
- SHA256
  
  70a50fac81ba4867e190e5aa600db3f849f87da0804bd670e184b665bb86ee87
- SHA512
  
  ad36da1c23602299696e5a44d3a193ff8c29be2e73708bbbded6ae321da8de1dbdfd204279153eb19c7505a3c3f80a7334f85b261ac039c8e6153120ec096121
Score

10^/10

revengerat guest stealer trojan upx
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- RevengeRat Executable
  stealer
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Uses the VBS compiler for execution
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

revengeratgueststealertrojanupx

behavioral2

revengeratgueststealertrojanupx

© 2018-2024

Terms | Privacy