Overview

overview

10

Static

static

10

196daae5b0...8c.exe

windows7_x64

10

196daae5b0...8c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe

  • Size

    7.2MB

  • MD5

    3955a6d8e167f30a9254d4754425da8d

  • SHA1

    0bfee09bc4d80744a28c32670d8c2c09e696e0ef

  • SHA256

    196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c

  • SHA512

    3b7a838e7207b4eaf770d55ad7f929839f4197d15b2a51787da52eafe63151ee117a8f995c58350f94596e8d2e1a1a2093cc1415835f1c09b51caad1b7faa484

Score
10/10
revengeratguestpersistencestealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

rattedlmao.ddns.net:1337

Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 2 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 7 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
    "C:\Users\Admin\AppData\Local\Temp\196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\h2ou5nxt.cmdline"
        3⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:3168
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42B1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBD3DA8F1217546C5B697E878563C170.TMP"
          4⤵
            PID:4868
        • C:\Windows\SYSTEM32\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Cozmics" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"
          3⤵
          • Creates scheduled task(s)
          PID:3740
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:868

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Scripting

    1
    T1064

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES42B1.tmp
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\h2ou5nxt.0.vb
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\h2ou5nxt.cmdline
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vbcBD3DA8F1217546C5B697E878563C170.TMP
      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
      Filesize

      4.9MB

      MD5

      3f5e3a2bc51d95dcb5c5d1885fe3be50

      SHA1

      2d0583c5a44bfb212eac4688b135092b75231967

      SHA256

      5810289beb84532db618e5fa9cdbd1b16bf8f7d13b96af2551152801774d1e79

      SHA512

      5fa6679c84d7949b8d965f70622af9dd401a02290c23dcb696ec8424e80a1fdd1e53aba628d2e368c81e32e8b95925793dee128b2c7bc79e31d5cedcc1067c99

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
      Filesize

      4.4MB

      MD5

      6760e3011051726c4d9a5148d6a37917

      SHA1

      b844ec3fb1dc128209ceccf6971f2213b1bcf829

      SHA256

      ab79c67171969af077941e4c2323da7809841c360dc84f60212c965d78f1fed5

      SHA512

      084cedb71a865d627b22d40172f4287a65f81d1f5f90b03dd68fe13a8a7a9941f8aca0b196da3623d27438188f0c5df5a3d0e11d656557044423ab5abe546749

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
      Download Submit
    • memory/3036-130-0x0000000000000000-mapping.dmp
      Download
    • memory/3168-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3740-140-0x0000000000000000-mapping.dmp
      Download
    • memory/4868-137-0x0000000000000000-mapping.dmp
      Download