Overview

overview

10

Static

static

37b319541d...69.exe

windows7_x64

6

37b319541d...69.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    187s
  • max time network
    194s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe

  • Size

    55KB

  • MD5

    e62a598e2a43efb4aa080455d70ad9c4

  • SHA1

    ec296fd2130c41479c9743fb93cdaab8675882d6

  • SHA256

    37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69

  • SHA512

    593e714e18181f95b2f25bc556f0ee3e9ed26981d4611eeb7516c7453405387562ab693dd24df39019d226e14352b4095fe8a787e4c8723fa1e51649d9000d29

Score
10/10
revengeratmr_ahmedtrojan

Malware Config

Extracted

Family

revengerat

Botnet

MR_ahmed

C2

192.168.1.2:333

Mutex

9f8d2a8cc3e644

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe
    "C:\Users\Admin\AppData\Local\Temp\37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Users\Admin\AppData\Local\Temp\37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe
      "C:\Users\Admin\AppData\Local\Temp\37b319541d45bfb21b89977e579d81b161c55d24e580a455b0fb2d1dbb471e69.exe"
      2⤵
        PID:2568
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c ping 127.0.0.1 -n 10 & copy "C:\Users\Admin\AppData\Local\Temp\x.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe"
        2⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 10
          3⤵
          • Runs ping.exe
          PID:3676

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\x.exe
      Filesize

      11KB

      MD5

      9b8b1fc82d2a8c79261cec2175c2a61e

      SHA1

      b7b1fccfe1e933593102ef3578406054df28dee8

      SHA256

      997f95070dd2348e0b2018c0f848a317a0bab05fd9befd3483508f9130572cb8

      SHA512

      6894269391f398ed4c4e3c0a00257db2c862de4ef01648c6505f3aa72f1014c8f2282499f4e861e0c7d81828b9465006f17ecac5e608dcc5fb0561938211f7ef

      Download Submit
    • memory/2568-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2568-132-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2568-135-0x0000000074B90000-0x0000000075141000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2936-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3676-134-0x0000000000000000-mapping.dmp
      Download
    • memory/4180-130-0x0000000074B90000-0x0000000075141000-memory.dmp
      Filesize

      5.7MB

      Download