Analysis
-
max time kernel
197s -
max time network
97s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 00:13
Static task
static1
Behavioral task
behavioral1
Sample
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
Resource
win10v2004-20220414-en
General
-
Target
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
-
Size
972KB
-
MD5
bace24eadab2c4f223dc58709049b633
-
SHA1
6cf43ccca649bd07f05f118191b3b423e67dc86c
-
SHA256
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f
-
SHA512
79cfaff3ed06701b579c2cd5fdcab633208d490fc0a1d8f1ca456cf8b421aaac47fed18c656a7ebda1c53519098a999beb72f7d2f826ba25c0b6fc639e32f83e
Malware Config
Extracted
revengerat
cuidadonoip
redlan1.hopto.org:3344
RV_MUTEX-wawrHJfWfhaR
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-63-0x0000000000400000-0x0000000000408000-memory.dmp revengerat behavioral1/memory/2032-62-0x0000000000400000-0x0000000000408000-memory.dmp revengerat behavioral1/memory/2032-61-0x0000000000405E5E-mapping.dmp revengerat behavioral1/memory/2032-57-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMJPSET.url 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exedescription pid process target process PID 1212 set thread context of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2032 RegAsm.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exepid process 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exepid process 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exedescription pid process target process PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1212 wrote to memory of 2032 1212 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe"C:\Users\Admin\AppData\Local\Temp\9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1212-54-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB
-
memory/2032-63-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2032-62-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2032-61-0x0000000000405E5E-mapping.dmp
-
memory/2032-57-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2032-55-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2032-65-0x0000000074260000-0x000000007480B000-memory.dmpFilesize
5.7MB