Overview

overview

10

Static

static

7ab025aa1f...ea.ps1

windows7_x64

1

7ab025aa1f...ea.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-05-2022 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea.ps1

  • Size

    51KB

  • MD5

    65779649108e379f6e5bbef6feb174aa

  • SHA1

    5d0dc1f6a1b4393a88b0dfe54296b6ae2e803af2

  • SHA256

    7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea

  • SHA512

    080e4f06d71c9fa446b7d34750d5510609b348a6b4d1b3f1b0d85d95fff0304cbf7a5d929e838d5eaf3e9e1217ba28acb1de46750263fb3189b43df577f3543e

Score
10/10
revengeratclienttrojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

n0ahark2021.ddns.net:5205

Mutex

VV5TAZZF27L8PCZ

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0kdiu53\l0kdiu53.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55E5.tmp" "c:\Users\Admin\AppData\Local\Temp\l0kdiu53\CSC8C180A7D5100486C9F7CA3338C89D628.TMP"
        3⤵
          PID:2212
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
          PID:4200

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES55E5.tmp
        Filesize

        1KB

        MD5

        c362c1b90a0b69a22474217040b4f16f

        SHA1

        a4b63dc656f888a8326a5b3941e1d90bada23820

        SHA256

        984596338b4265995b3950bbd2a4abd976e4b4154a1d836de898acfec6ead48a

        SHA512

        f8f6f2d7bb13ead80b126b4b56b873a55f0844e07ab9a61826ef5eb58b67e62702d96650cc94335ab8ec80b0c6062fb342dfa904244de535282889f199fc5ec5

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\l0kdiu53\l0kdiu53.dll
        Filesize

        13KB

        MD5

        bd864cb844a27f7f9e1d8f1b39dca12c

        SHA1

        16fd30998c67ca8838cdc43379e1fcf2f150402b

        SHA256

        a1712ea60c92c31d433f7ec838c30d81b57100f063c58176ca3e0ad046ec6054

        SHA512

        72a107a3bf25b094e52a29dddd6a254fd78e833ffa7d39309be28545c40d17204e35799adc6676badb0ff7f715e75b881c0d22446c49fd1b5cccc18a71d5e819

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\l0kdiu53\CSC8C180A7D5100486C9F7CA3338C89D628.TMP
        Filesize

        652B

        MD5

        38657ac2a2472468c9616112760432be

        SHA1

        21d41c4e43ee3a3f244caf04d254bb85160035f7

        SHA256

        a81a2cdb4aadbb13fd3e657fcf06ace797f91d4882f49e9a9e1b8a9ab2409287

        SHA512

        eda9b5f1af1cb2783a600ade8a9021d1073a967c36f619fe4294527c005588f8784c4f7490501bf5edf8aaf8cf738db212b4d1dcda8a24a37c5ce9a93e4954c7

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\l0kdiu53\l0kdiu53.0.cs
        Filesize

        13KB

        MD5

        e03b1e7ba7f1a53a7e10c0fd9049f437

        SHA1

        3bb851a42717eeb588eb7deadfcd04c571c15f41

        SHA256

        3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

        SHA512

        a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

        Download Submit
      • \??\c:\Users\Admin\AppData\Local\Temp\l0kdiu53\l0kdiu53.cmdline
        Filesize

        327B

        MD5

        5ec5ece804fe73f222adc75d15283f1e

        SHA1

        22785647997288d01688e119481334d0b95332ee

        SHA256

        c3cbf3a43b432a14b5b0a0c6b91cd14508a60707e0bf5059f767eb3ffe7d8552

        SHA512

        50af47052b07a60313e713b1dcd24d0322b5cb7371b415c3bffa4bf0e1fbb140224a3d3e63525159306bdea193f7a8f2d25fb47bbb85ec6c7107bdb08430e998

        Download Submit
      • memory/1604-131-0x00000258EC610000-0x00000258EC686000-memory.dmp
        Filesize

        472KB

        Download
      • memory/1604-132-0x00007FFF9B510000-0x00007FFF9BFD1000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1604-130-0x00000258EA710000-0x00000258EA732000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2212-136-0x0000000000000000-mapping.dmp
        Download
      • memory/3364-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4200-140-0x0000000000400000-0x000000000040A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4200-141-0x00000000004051DE-mapping.dmp
        Download
      • memory/4200-142-0x0000000005DC0000-0x0000000006364000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4200-143-0x00000000058B0000-0x000000000594C000-memory.dmp
        Filesize

        624KB

        Download