Overview

overview

10

Static

static

REORDER_.exe

windows7_x64

10

REORDER_.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REORDER_.exe

  • Size

    339KB

  • MD5

    965a50b0cb0e05ba3fb39aa2dfb64980

  • SHA1

    f9d0711a8f6f430ec3bfc597be43592cebdc649e

  • SHA256

    cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d

  • SHA512

    43c37e8457f55ed52b8e9ae3cce7fe4ea5403d27f58a674fa0ee976b99bda8704dedd4fe0caa4cb93d758349b02acea22faf0a0a672cc87ebb938878c6d7c3fb

Score
10/10
revengeratgueststealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

lordiyke.duckdns.org:2336

Mutex

RV_MUTEX-YqqNLCGRFbTXZM

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 4 IoCs
    stealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REORDER_.exe
    "C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:272
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN Windowsupdator /XML "C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:956
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN Windowsupdator /XML "C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1380
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"
      2⤵
        PID:1324
      • C:\Users\Admin\AppData\Local\Temp\REORDER_.exe
        "C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1456
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
          "C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1812

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xml
      Filesize

      1KB

      MD5

      e98af825c49270e6928d9f80badf4af8

      SHA1

      8e3d1db305b6170cceb4f763ee02cf12a198f814

      SHA256

      ebbafd7c57e0f7de0e9bb84c2eea461244f82d40b0bc8a376bdc7ccd1e12e599

      SHA512

      531d18c8e5d613977e753cfcb27c8ad355d2b3fdef24883520b3b91cad0a778dff6837dfbab65463c0b05d313fb5d3219c2b786e851584e701833c4e35b88504

      Download Submit
    • memory/272-57-0x0000000000210000-0x000000000026A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/956-54-0x0000000000000000-mapping.dmp
      Download
    • memory/1380-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1456-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1456-59-0x0000000000210000-0x000000000026A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/1812-60-0x0000000000400000-0x0000000000408000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1812-61-0x0000000000405E1E-mapping.dmp
      Download
    • memory/1812-63-0x0000000000400000-0x0000000000408000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1812-65-0x0000000000400000-0x0000000000408000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1812-66-0x00000000753B1000-0x00000000753B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1812-67-0x0000000074460000-0x0000000074A0B000-memory.dmp
      Filesize

      5.7MB

      Download