Malware Analysis Report

2025-04-14 05:10

Sample ID 220523-3qpzwshgg3
Target c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2
SHA256 c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2
Tags
stealer m939 revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2

Threat Level: Known bad

The file c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2 was found to be: Known bad.

Malicious Activity Summary

stealer m939 revengerat trojan

RevengeRat Executable

Revengerat family

RevengeRAT

RevengeRat Executable

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 23:43

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 23:43

Reported

2022-05-23 23:45

Platform

win7-20220414-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hlak.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\hlak.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe

"C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe"

C:\Users\Admin\AppData\Roaming\hlak.exe

"C:\Users\Admin\AppData\Roaming\hlak.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 5 /tn "hort" /tr "C:\Users\Admin\AppData\Roaming\hlak.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 landbo.ddns.net udp

Files

memory/1664-54-0x000007FEF37B0000-0x000007FEF4846000-memory.dmp

memory/1664-55-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\hlak.exe

MD5 df66356151d4671e06f88a44b4c28dd3
SHA1 015f855ae32785eb9ea8ad1ecf252e3b6efaf88a
SHA256 c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2
SHA512 bde5b8f19acca1dbec8516bfc9391173edad64315a8277c454e296807a2fae7cafdc644707e082c5f984e546893f6220651895665b4f0489aeb565457e0e4a83

C:\Users\Admin\AppData\Roaming\hlak.exe

MD5 df66356151d4671e06f88a44b4c28dd3
SHA1 015f855ae32785eb9ea8ad1ecf252e3b6efaf88a
SHA256 c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2
SHA512 bde5b8f19acca1dbec8516bfc9391173edad64315a8277c454e296807a2fae7cafdc644707e082c5f984e546893f6220651895665b4f0489aeb565457e0e4a83

memory/1968-59-0x000007FEF3300000-0x000007FEF4396000-memory.dmp

memory/1968-56-0x0000000000000000-mapping.dmp

memory/1208-60-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 23:43

Reported

2022-05-23 23:45

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hlak.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\hlak.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe

"C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe"

C:\Users\Admin\AppData\Roaming\hlak.exe

"C:\Users\Admin\AppData\Roaming\hlak.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /mo 5 /tn "hort" /tr "C:\Users\Admin\AppData\Roaming\hlak.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
NL 88.221.144.192:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
NL 13.69.109.131:443 tcp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 204.79.197.203:80 tcp
NL 8.248.3.254:80 tcp
NL 8.248.3.254:80 tcp
US 8.251.167.126:80 tcp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 landbo.ddns.net udp
US 8.8.8.8:53 udp

Files

memory/3844-130-0x000000001BF30000-0x000000001C966000-memory.dmp

memory/3964-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\hlak.exe

MD5 df66356151d4671e06f88a44b4c28dd3
SHA1 015f855ae32785eb9ea8ad1ecf252e3b6efaf88a
SHA256 c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2
SHA512 bde5b8f19acca1dbec8516bfc9391173edad64315a8277c454e296807a2fae7cafdc644707e082c5f984e546893f6220651895665b4f0489aeb565457e0e4a83

C:\Users\Admin\AppData\Roaming\hlak.exe

MD5 df66356151d4671e06f88a44b4c28dd3
SHA1 015f855ae32785eb9ea8ad1ecf252e3b6efaf88a
SHA256 c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2
SHA512 bde5b8f19acca1dbec8516bfc9391173edad64315a8277c454e296807a2fae7cafdc644707e082c5f984e546893f6220651895665b4f0489aeb565457e0e4a83

memory/3964-134-0x000000001C290000-0x000000001CCC6000-memory.dmp

memory/3344-135-0x0000000000000000-mapping.dmp