Malware Analysis Report

2025-04-14 05:10

Sample ID 220523-rq6f4ahdem
Target 7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea
SHA256 7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea
Tags
revengerat client trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea

Threat Level: Known bad

The file 7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea was found to be: Known bad.

Malicious Activity Summary

revengerat client trojan

RevengeRAT

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-23 14:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 14:24

Reported

2022-05-23 14:27

Platform

win7-20220414-en

Max time kernel

36s

Max time network

45s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea.ps1

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea.ps1

Network

N/A

Files

memory/888-54-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

memory/888-55-0x000007FEF2CA0000-0x000007FEF37FD000-memory.dmp

memory/888-57-0x000000000252B000-0x000000000254A000-memory.dmp

memory/888-56-0x0000000002524000-0x0000000002527000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 14:24

Reported

2022-05-23 14:27

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

152s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea.ps1

Signatures

RevengeRAT

trojan revengerat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1604 set thread context of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 3364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1604 wrote to memory of 3364 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3364 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3364 wrote to memory of 2212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1604 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1604 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1604 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1604 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1604 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1604 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1604 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1604 wrote to memory of 4200 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\7ab025aa1f53605e0e33299dbe89cceea79144ab98ff9a39a54c9ddab53a9eea.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0kdiu53\l0kdiu53.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55E5.tmp" "c:\Users\Admin\AppData\Local\Temp\l0kdiu53\CSC8C180A7D5100486C9F7CA3338C89D628.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 n0ahark2021.ddns.net udp
US 1.1.1.1:5205 n0ahark2021.ddns.net tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 1.1.1.1:5205 n0ahark2021.ddns.net tcp
NL 13.69.109.130:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 1.1.1.1:5205 n0ahark2021.ddns.net tcp
US 8.8.8.8:53 n0ahark2021.ddns.net udp
US 1.1.1.1:5205 n0ahark2021.ddns.net tcp
US 1.1.1.1:5205 n0ahark2021.ddns.net tcp
US 1.1.1.1:5205 n0ahark2021.ddns.net tcp
US 8.8.8.8:53 n0ahark2021.ddns.net udp
US 1.1.1.1:5205 n0ahark2021.ddns.net tcp

Files

memory/1604-130-0x00000258EA710000-0x00000258EA732000-memory.dmp

memory/1604-131-0x00000258EC610000-0x00000258EC686000-memory.dmp

memory/1604-132-0x00007FFF9B510000-0x00007FFF9BFD1000-memory.dmp

memory/3364-133-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\l0kdiu53\l0kdiu53.cmdline

MD5 5ec5ece804fe73f222adc75d15283f1e
SHA1 22785647997288d01688e119481334d0b95332ee
SHA256 c3cbf3a43b432a14b5b0a0c6b91cd14508a60707e0bf5059f767eb3ffe7d8552
SHA512 50af47052b07a60313e713b1dcd24d0322b5cb7371b415c3bffa4bf0e1fbb140224a3d3e63525159306bdea193f7a8f2d25fb47bbb85ec6c7107bdb08430e998

\??\c:\Users\Admin\AppData\Local\Temp\l0kdiu53\l0kdiu53.0.cs

MD5 e03b1e7ba7f1a53a7e10c0fd9049f437
SHA1 3bb851a42717eeb588eb7deadfcd04c571c15f41
SHA256 3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512 a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

\??\c:\Users\Admin\AppData\Local\Temp\l0kdiu53\CSC8C180A7D5100486C9F7CA3338C89D628.TMP

MD5 38657ac2a2472468c9616112760432be
SHA1 21d41c4e43ee3a3f244caf04d254bb85160035f7
SHA256 a81a2cdb4aadbb13fd3e657fcf06ace797f91d4882f49e9a9e1b8a9ab2409287
SHA512 eda9b5f1af1cb2783a600ade8a9021d1073a967c36f619fe4294527c005588f8784c4f7490501bf5edf8aaf8cf738db212b4d1dcda8a24a37c5ce9a93e4954c7

C:\Users\Admin\AppData\Local\Temp\l0kdiu53\l0kdiu53.dll

MD5 bd864cb844a27f7f9e1d8f1b39dca12c
SHA1 16fd30998c67ca8838cdc43379e1fcf2f150402b
SHA256 a1712ea60c92c31d433f7ec838c30d81b57100f063c58176ca3e0ad046ec6054
SHA512 72a107a3bf25b094e52a29dddd6a254fd78e833ffa7d39309be28545c40d17204e35799adc6676badb0ff7f715e75b881c0d22446c49fd1b5cccc18a71d5e819

C:\Users\Admin\AppData\Local\Temp\RES55E5.tmp

MD5 c362c1b90a0b69a22474217040b4f16f
SHA1 a4b63dc656f888a8326a5b3941e1d90bada23820
SHA256 984596338b4265995b3950bbd2a4abd976e4b4154a1d836de898acfec6ead48a
SHA512 f8f6f2d7bb13ead80b126b4b56b873a55f0844e07ab9a61826ef5eb58b67e62702d96650cc94335ab8ec80b0c6062fb342dfa904244de535282889f199fc5ec5

memory/2212-136-0x0000000000000000-mapping.dmp

memory/4200-140-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4200-141-0x00000000004051DE-mapping.dmp

memory/4200-142-0x0000000005DC0000-0x0000000006364000-memory.dmp

memory/4200-143-0x00000000058B0000-0x000000000594C000-memory.dmp