Overview

overview

10

Static

static

fd4f94d122...fa.exe

windows7_x64

10

fd4f94d122...fa.exe

windows10-2004_x64

5

Analysis

  • max time kernel
    136s
  • max time network
    114s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-05-2022 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd4f94d12269d74166408823e51fe1fbc64a776ade7554a27acaf07cae6483fa.exe

  • Size

    89KB

  • MD5

    793fd610adf1d34f757e9db8510e8ff2

  • SHA1

    e54835aea0d357cd955c3c9876f6c6b1982fcf99

  • SHA256

    fd4f94d12269d74166408823e51fe1fbc64a776ade7554a27acaf07cae6483fa

  • SHA512

    3ad0a8c0aa14b2bea294d9aa5d914e46dc33d4df1ef2083c5050ab4cac693c01f0419ce9e3da20487d21102baa16b4cc9ce48947127b76aaf661a5bbe84fdd8f

Score
10/10
revengeratgueststealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

darkking111.hopto.org:3131

darkking111.hopto.org:5353

102ef32.ddns.net:3131

102ef32.ddns.net:5353

1026ef32.ddns.net :3131

1026ef32.ddns.net :5353
Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 5 IoCs
    stealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd4f94d12269d74166408823e51fe1fbc64a776ade7554a27acaf07cae6483fa.exe
    "C:\Users\Admin\AppData\Local\Temp\fd4f94d12269d74166408823e51fe1fbc64a776ade7554a27acaf07cae6483fa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\AppData\Roaming\Windows Update.exe
        "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
        3⤵
        • Executes dropped EXE
        PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    96KB

    MD5

    7825cad99621dd288da81d8d8ae13cf5

    SHA1

    f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

    SHA256

    529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

    SHA512

    2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

    Download Submit
  • \Users\Admin\AppData\Roaming\Windows Update.exe
    Filesize

    96KB

    MD5

    7825cad99621dd288da81d8d8ae13cf5

    SHA1

    f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

    SHA256

    529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

    SHA512

    2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

    Download Submit
  • memory/1344-54-0x0000000001050000-0x000000000106C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1344-55-0x0000000076171000-0x0000000076173000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1344-56-0x0000000000370000-0x0000000000384000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1564-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1664-61-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1664-62-0x000000000040616E-mapping.dmp
    Download
  • memory/1664-64-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1664-66-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1664-60-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1664-58-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1664-57-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download