Analysis
-
max time kernel
57s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-05-2022 17:12
Static task
static1
Behavioral task
behavioral1
Sample
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe
Resource
win10v2004-20220414-en
General
-
Target
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe
-
Size
967KB
-
MD5
ee2fe8acd41c86fead2525b4420a5956
-
SHA1
991f74f3f33de2757af89c1e62090a9703f21fc2
-
SHA256
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e
-
SHA512
ed19c53ae47fa77a6e45c479f40bc240373b76ca63d56c77f15cefb3885bbb4f7bca447a30c34b8846cc611d966d2d21487495ce2ed0d78c627d73c7ef2e7a78
Malware Config
Extracted
revengerat
noip
redlan.hopto.org:3344
RV_MUTEX-EUnoWrUUgHRHX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-57-0x0000000000400000-0x0000000000408000-memory.dmp revengerat behavioral1/memory/1944-61-0x0000000000405E4E-mapping.dmp revengerat behavioral1/memory/1944-62-0x0000000000400000-0x0000000000408000-memory.dmp revengerat behavioral1/memory/1944-63-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BingMaps.url 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exedescription pid process target process PID 1776 set thread context of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1944 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exepid process 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exepid process 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exedescription pid process target process PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 1776 wrote to memory of 1944 1776 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe"C:\Users\Admin\AppData\Local\Temp\0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1776-54-0x00000000754A1000-0x00000000754A3000-memory.dmpFilesize
8KB
-
memory/1944-57-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-55-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-61-0x0000000000405E4E-mapping.dmp
-
memory/1944-62-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-63-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1944-65-0x0000000074320000-0x00000000748CB000-memory.dmpFilesize
5.7MB