Malware Analysis Report

2025-04-14 05:10

Sample ID 220523-3z7ajadegm
Target d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea
SHA256 d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea
Tags
revengerat 2sp force dz persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea

Threat Level: Known bad

The file d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea was found to be: Known bad.

Malicious Activity Summary

revengerat 2sp force dz persistence stealer trojan

Revengerat family

RevengeRAT

RevengeRat Executable

RevengeRat Executable

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 23:58

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 23:58

Reported

2022-05-24 00:01

Platform

win7-20220414-en

Max time kernel

151s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Client.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe

"C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 imaneblueyesvpn.ddns.net udp

Files

memory/1796-54-0x000007FEF2680000-0x000007FEF3716000-memory.dmp

memory/1796-55-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

MD5 759e1216fa75f7fca3bc7c84094ca531
SHA1 399e938b13613873c3f50759ce9386a38968ca3f
SHA256 d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea
SHA512 7bb0bbe4033b966978c4a621822b40184e0a63748151cdfe50fb7d659c74dedae8c9e8fd142e1aaf495c23556683173b70ba65e4af14ebac44c6fa787fa66917

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

MD5 759e1216fa75f7fca3bc7c84094ca531
SHA1 399e938b13613873c3f50759ce9386a38968ca3f
SHA256 d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea
SHA512 7bb0bbe4033b966978c4a621822b40184e0a63748151cdfe50fb7d659c74dedae8c9e8fd142e1aaf495c23556683173b70ba65e4af14ebac44c6fa787fa66917

memory/844-56-0x0000000000000000-mapping.dmp

memory/844-59-0x000007FEF2680000-0x000007FEF3716000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 23:58

Reported

2022-05-24 00:01

Platform

win10v2004-20220414-en

Max time kernel

184s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Client.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe

"C:\Users\Admin\AppData\Local\Temp\d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe"

Network

Country Destination Domain Proto
US 13.89.178.27:443 tcp
US 8.8.8.8:53 imaneblueyesvpn.ddns.net udp
NL 88.221.144.179:80 tcp
US 8.8.8.8:53 imaneblueyesvpn.ddns.net udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

MD5 759e1216fa75f7fca3bc7c84094ca531
SHA1 399e938b13613873c3f50759ce9386a38968ca3f
SHA256 d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea
SHA512 7bb0bbe4033b966978c4a621822b40184e0a63748151cdfe50fb7d659c74dedae8c9e8fd142e1aaf495c23556683173b70ba65e4af14ebac44c6fa787fa66917

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Client.exe

MD5 759e1216fa75f7fca3bc7c84094ca531
SHA1 399e938b13613873c3f50759ce9386a38968ca3f
SHA256 d94c2a5ea62d3c59414860b031c2926c30603f6276030f5ab5d6796d59b918ea
SHA512 7bb0bbe4033b966978c4a621822b40184e0a63748151cdfe50fb7d659c74dedae8c9e8fd142e1aaf495c23556683173b70ba65e4af14ebac44c6fa787fa66917

memory/4800-130-0x0000000000000000-mapping.dmp