Analysis
-
max time kernel
163s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 17:12
Static task
static1
Behavioral task
behavioral1
Sample
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe
Resource
win10v2004-20220414-en
General
-
Target
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe
-
Size
967KB
-
MD5
ee2fe8acd41c86fead2525b4420a5956
-
SHA1
991f74f3f33de2757af89c1e62090a9703f21fc2
-
SHA256
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e
-
SHA512
ed19c53ae47fa77a6e45c479f40bc240373b76ca63d56c77f15cefb3885bbb4f7bca447a30c34b8846cc611d966d2d21487495ce2ed0d78c627d73c7ef2e7a78
Malware Config
Extracted
revengerat
noip
redlan.hopto.org:3344
RV_MUTEX-EUnoWrUUgHRHX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4548-131-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BingMaps.url 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exedescription pid process target process PID 2180 set thread context of 4548 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RegAsm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 4548 RegAsm.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exepid process 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exepid process 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exedescription pid process target process PID 2180 wrote to memory of 4548 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 2180 wrote to memory of 4548 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 2180 wrote to memory of 4548 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 2180 wrote to memory of 4548 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe PID 2180 wrote to memory of 4548 2180 0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe"C:\Users\Admin\AppData\Local\Temp\0063f6a96b61507a769319cf8f9a3f97d9bef5e266636e2e0b94c41784f3536e.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken