Overview

overview

10

Static

static

365d0d94f8...5f.exe

windows7_x64

10

365d0d94f8...5f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-05-2022 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe

  • Size

    231KB

  • MD5

    09cd267ca92d6c3dcbaa05e70477962f

  • SHA1

    a9786770752e9f6ca8a49f109cf9fe9783e5aa9d

  • SHA256

    365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f

  • SHA512

    87bfe294cdcd711a44976f8aec1aa51d48fe9cc83ed08ab6ef04a1c144fb545874f517d9f9232f1fef2bc154b8da0cda6d3259bf8952ebb683e69b04c09bb83a

Score
10/10
revengeratgueststealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

195.206.106.176:7865

Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 5 IoCs
    stealer
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe
    "C:\Users\Admin\AppData\Local\Temp\365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Roaming\Client.exe
        "C:\Users\Admin\AppData\Roaming\Client.exe"
        3⤵
        • Executes dropped EXE
        PID:2036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1740
      2⤵
      • Program crash
      PID:1540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Client.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Client.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • \Users\Admin\AppData\Roaming\Client.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • memory/1540-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1724-69-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1724-67-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1724-60-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1724-61-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1724-63-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1724-64-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1724-65-0x0000000000405EAE-mapping.dmp
    Download
  • memory/1728-59-0x0000000001DC0000-0x0000000001DC6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1728-54-0x0000000000970000-0x00000000009B0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1728-58-0x0000000000480000-0x0000000000498000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1728-57-0x0000000001EB0000-0x0000000001EE0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1728-56-0x0000000000720000-0x000000000074E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1728-55-0x0000000076451000-0x0000000076453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-73-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-76-0x0000000000880000-0x000000000088C000-memory.dmp
    Filesize

    48KB

    Download