Overview

overview

10

Static

static

10

0x000a0000...58.exe

windows7_x64

10

0x000a0000...58.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0x000a0000000122da-58.exe

  • Size

    86KB

  • MD5

    117fa52c8400ad57e1a32503e7138abc

  • SHA1

    e6cfae7554a85bf343089ba627688ff122188a9e

  • SHA256

    e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

  • SHA512

    e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Score
10/10
revengeratgueststealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

blessed147.ddns.net:8089

Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 3 IoCs
    stealer
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 7 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000a0000000122da-58.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000a0000000122da-58.exe"
    1⤵
    • Checks computer location settings
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Roaming\Client.exe
      "C:\Users\Admin\AppData\Roaming\Client.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\90i47eza.cmdline"
        3⤵
        • Drops startup file
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87BF64919FFC4E2FA3235ABDB8EB6E26.TMP"
          4⤵
            PID:2192

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Persistence

    Privilege Escalation

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\90i47eza.0.vb
      Filesize

      150B

      MD5

      1b4fb5e3edf737cc570101af098b8b8b

      SHA1

      697dbfdbc070868122e4d909e3115547c82ff5ed

      SHA256

      d667f032a9538d08f05f8ac3c53d791251bc709ce6ea2ad2b8d2dbff9e3dff31

      SHA512

      c85eab737e23aa984a6d18035ec122ef711d54b405efb1476f5226c3f140cb5c208543f8111d13747ca563926cc244e6ec0f8b5593b1ca75bc2e07bb6aa7f387

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\90i47eza.cmdline
      Filesize

      194B

      MD5

      6a31b965cca33db940d3b138ea2411d8

      SHA1

      c3afaaf68866d41df0060d5174dfac3ba4e81049

      SHA256

      3d403de751e8dc937cb402facfa365a391889826e9a6a6ce68ccbedd5705cb68

      SHA512

      a5761edf017d8ba04b9be1bcf201cc11e11f4f21e0116f09a1c098fccc6b63b5ddadff22218ed9af4e99933b98e174e4cee22e0ff151b532bb69cfebb60c6b0f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RES12E7.tmp
      Filesize

      1KB

      MD5

      0f7acb38ea2529998a3e5bd7971bd4a0

      SHA1

      49ccdf8a1ab794b6584b8688e60d566fa15b5b6d

      SHA256

      78dc1de3d845bc6a1efd6f99e936d4d25dc24632a492125d80780ceb1b1f0f11

      SHA512

      e55e23488a0dd161d11182887d231896f71b6aafee2a13675d9f7386a97cbcddfed541d330c41f0340a68859ab3e0ad74979137cf0081ea02c2bb2017062529f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vbc87BF64919FFC4E2FA3235ABDB8EB6E26.TMP
      Filesize

      644B

      MD5

      23c5f6c5bb4e5de59ec5aa884ea098d3

      SHA1

      7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

      SHA256

      7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

      SHA512

      bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Client.exe
      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Client.exe
      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
      Filesize

      86KB

      MD5

      117fa52c8400ad57e1a32503e7138abc

      SHA1

      e6cfae7554a85bf343089ba627688ff122188a9e

      SHA256

      e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

      SHA512

      e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

      Download Submit
    • memory/224-135-0x0000000000000000-mapping.dmp
      Download
    • memory/2176-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2176-134-0x00007FFC61090000-0x00007FFC61AC6000-memory.dmp
      Filesize

      10.2MB

      Download
    • memory/2192-139-0x0000000000000000-mapping.dmp
      Download
    • memory/2944-130-0x00007FFC61090000-0x00007FFC61AC6000-memory.dmp
      Filesize

      10.2MB

      Download