Analysis
-
max time kernel
47s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
11-05-2022 02:07
Static task
static1
Behavioral task
behavioral1
Sample
117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe
Resource
win10v2004-20220414-en
General
-
Target
117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe
-
Size
22KB
-
MD5
2793ea0c8c30c836fc53b4d8afd6ff8b
-
SHA1
a99b960af5a24cb16776d0953a392f0186c1398c
-
SHA256
117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2
-
SHA512
cb641b3f0aa28360f0df8e63cb24dc5aaf2365db108473f72f62d495ccfaf34b3601db1d8bfa6f06bdab5d2d27cddb5fd5fa1fb1745989b12234501d64834d52
Malware Config
Extracted
revengerat
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1524-55-0x00000000001D0000-0x00000000001D8000-memory.dmp revengerat -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1996 1524 WerFault.exe 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exedescription pid process Token: SeDebugPrivilege 1524 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exedescription pid process target process PID 1524 wrote to memory of 1996 1524 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe WerFault.exe PID 1524 wrote to memory of 1996 1524 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe WerFault.exe PID 1524 wrote to memory of 1996 1524 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe WerFault.exe PID 1524 wrote to memory of 1996 1524 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe"C:\Users\Admin\AppData\Local\Temp\117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 14802⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1524-54-0x0000000000290000-0x000000000029C000-memory.dmpFilesize
48KB
-
memory/1524-55-0x00000000001D0000-0x00000000001D8000-memory.dmpFilesize
32KB
-
memory/1524-56-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1996-57-0x0000000000000000-mapping.dmp