Analysis
-
max time kernel
143s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 00:13
Static task
static1
Behavioral task
behavioral1
Sample
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
Resource
win10v2004-20220414-en
General
-
Target
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
-
Size
972KB
-
MD5
bace24eadab2c4f223dc58709049b633
-
SHA1
6cf43ccca649bd07f05f118191b3b423e67dc86c
-
SHA256
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f
-
SHA512
79cfaff3ed06701b579c2cd5fdcab633208d490fc0a1d8f1ca456cf8b421aaac47fed18c656a7ebda1c53519098a999beb72f7d2f826ba25c0b6fc639e32f83e
Malware Config
Extracted
revengerat
cuidadonoip
redlan1.hopto.org:3344
RV_MUTEX-wawrHJfWfhaR
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3520-131-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMJPSET.url 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exedescription pid process target process PID 1820 set thread context of 3520 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
RegAsm.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3520 RegAsm.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exepid process 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exepid process 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exedescription pid process target process PID 1820 wrote to memory of 3520 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1820 wrote to memory of 3520 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1820 wrote to memory of 3520 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1820 wrote to memory of 3520 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe PID 1820 wrote to memory of 3520 1820 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe"C:\Users\Admin\AppData\Local\Temp\9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken