revengerat | 57d84d42d12c04652cf87f1b1255e0f6ada7674751200ba1d2298941deb5cd44 | Triage

Sharing

General

Target

49c17404c6314b837c9f3b49aba9bf7e.hta
Size

144KB
Sample

220402-ebapnaecdp
MD5

49c17404c6314b837c9f3b49aba9bf7e
SHA1

dce337aa57cdf134e0c7a7101353777346e964e2
SHA256

57d84d42d12c04652cf87f1b1255e0f6ada7674751200ba1d2298941deb5cd44
SHA512

8018e8ad4f98cbea91218fd378c3f0a90ab172f6176a6d17016f2d23c1783250fa1467ee2f2023036dd8826816586d90f920f351929ca93d3e710feaf19cb268

Score

10^/10

revengerat mr_ahmed trojan

Malware Config

Extracted

Family

revengerat

Botnet

MR_ahmed

C2

45.147.230.231:2222

Mutex

c416f58db13c4

Targets

- Target
  
  49c17404c6314b837c9f3b49aba9bf7e.hta
- Size
  
  144KB
- MD5
  
  49c17404c6314b837c9f3b49aba9bf7e
- SHA1
  
  dce337aa57cdf134e0c7a7101353777346e964e2
- SHA256
  
  57d84d42d12c04652cf87f1b1255e0f6ada7674751200ba1d2298941deb5cd44
- SHA512
  
  8018e8ad4f98cbea91218fd378c3f0a90ab172f6176a6d17016f2d23c1783250fa1467ee2f2023036dd8826816586d90f920f351929ca93d3e710feaf19cb268
Score

10^/10

revengerat mr_ahmed trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

revengeratmr_ahmedtrojan