Overview

overview

10

Static

static

5

0063f6a96b...6e.exe

windows7_x64

10

0063f6a96b...6e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    57s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    02-05-2022 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe

  • Size

    967KB

  • MD5

    ee2fe8acd41c86fead2525b4420a5956

  • SHA1

    991f74f3f33de2757af89c1e62090a9703f21fc2

  • SHA256

    0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e

  • SHA512

    ed19c53ae47fa77a6e45c479f40bc240373b76ca63d56c77f15cefb3885bbb4f7bca447a30c34b8846cc611d966d2d21487495ce2ed0d78c627d73c7ef2e7a78

Score
10/10
revengeratnoipstealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

noip

C2

redlan.hopto.org:3344

Mutex

RV_MUTEX-EUnoWrUUgHRHX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 4 IoCs
    stealer
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe
    "C:\Users\Admin\AppData\Local\Temp\0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Drops file in Windows directory
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1776-54-0x00000000754A1000-0x00000000754A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1944-57-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1944-55-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1944-61-0x0000000000405E4E-mapping.dmp
    Download
  • memory/1944-62-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1944-63-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1944-65-0x0000000074320000-0x00000000748CB000-memory.dmp
    Filesize

    5.7MB

    Download