Overview

overview

10

Static

static

REORDER_.exe

windows7_x64

10

REORDER_.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REORDER_.exe

  • Size

    339KB

  • MD5

    965a50b0cb0e05ba3fb39aa2dfb64980

  • SHA1

    f9d0711a8f6f430ec3bfc597be43592cebdc649e

  • SHA256

    cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d

  • SHA512

    43c37e8457f55ed52b8e9ae3cce7fe4ea5403d27f58a674fa0ee976b99bda8704dedd4fe0caa4cb93d758349b02acea22faf0a0a672cc87ebb938878c6d7c3fb

Score
10/10
revengeratgueststealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

lordiyke.duckdns.org:2336

Mutex

RV_MUTEX-YqqNLCGRFbTXZM

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REORDER_.exe
    "C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /Create /TN Windowsupdator /XML "C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN Windowsupdator /XML "C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xml"
        3⤵
        • Creates scheduled task(s)
        PID:4228
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\REORDER_.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\f923d393131742579d889796201033a6.xml
    Filesize

    1KB

    MD5

    4bc650407ae944dd0007bfad84f060aa

    SHA1

    51a2c1d9a73bfaa6dc1fe1f7c4133b301f85fd6c

    SHA256

    2ad315e9b94342a64e978378d69ff8ab70b73e8673a88015399378c55e290dfa

    SHA512

    d0cc05f256c55ed86ae8b74d61549106d7eba61b27e5c8594fa97b9094324d7db70c55830ae043e5db28cf744f88e2f0a2e3fba5d7f4aa05c90966835f6aa657

    Download Submit
  • memory/2356-130-0x0000000000580000-0x00000000005DA000-memory.dmp
    Filesize

    360KB

    Download
  • memory/3232-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3232-135-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3232-136-0x0000000074B00000-0x00000000750B1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/3848-131-0x0000000000000000-mapping.dmp
    Download
  • memory/4228-132-0x0000000000000000-mapping.dmp
    Download