Overview

overview

10

Static

static

00INVN0987.js

windows7_x64

10

00INVN0987.js

windows10-2004_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00INVN0987.js

  • Size

    204KB

  • MD5

    3a2a1650aa3f0bdf262b244f636c01c5

  • SHA1

    a7d61b35c91326e983c7d725b1ed8f49162f4758

  • SHA256

    06672589c9c70009f9342ba946bcf8f671b7fc3a1f1031b02442f3d85e0afe94

  • SHA512

    d05201160c7e3331db834a5d986e93c13506e2f28b431ffc452f4aef47266d0a7b0541dc9178cb974f73c18064d964bda5d6d43ce0f3519e5cc1275c7b03fb3f

Score
10/10
revengeratgueststealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

blessed147.ddns.net:8089

Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 4 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\00INVN0987.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\myNUstntrH.js"
      2⤵
        PID:5024
      • C:\Users\Admin\AppData\Local\Temp\001.exe
        "C:\Users\Admin\AppData\Local\Temp\001.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3128
        • C:\Users\Admin\AppData\Roaming\Client.exe
          "C:\Users\Admin\AppData\Roaming\Client.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1532

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\001.exe
      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\001.exe
      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Client.exe
      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Client.exe
      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

      Download Submit
    • C:\Users\Admin\AppData\Roaming\myNUstntrH.js
      Filesize

      17KB

      MD5

      7fcc69ae32f6a2886980fb92a08bf480

      SHA1

      8cb6feca11b461acef5878e9473dbe62f34aa65f

      SHA256

      89cc7795ed9ad5189dca10a64a89cd3bfd59ed1e6aa17137f45846574e35bdd4

      SHA512

      684d5345e6190948fc9f915beeb040dbb7ac28b6865925fcdc11778f63cfdecd7feddd2e5dad44b0e4b0478943e3d88ce4f04c0f8b382fcdfbe3fef044b73cd3

      Download Submit
    • memory/1532-136-0x0000000000000000-mapping.dmp
      Download
    • memory/1532-139-0x00007FF85CA60000-0x00007FF85D496000-memory.dmp
      Filesize

      10.2MB

      Download
    • memory/3128-132-0x0000000000000000-mapping.dmp
      Download
    • memory/3128-135-0x00007FF85CA60000-0x00007FF85D496000-memory.dmp
      Filesize

      10.2MB

      Download
    • memory/5024-130-0x0000000000000000-mapping.dmp
      Download