Analysis
-
max time kernel
182s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad.exe
Resource
win10v2004-20220414-en
General
-
Target
94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad.exe
-
Size
99KB
-
MD5
5391a62d2df63872a0cb74a6df44f832
-
SHA1
46f3c7bae6f4f3b71d79692585d154ddda84d1bb
-
SHA256
94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad
-
SHA512
e2d2ae51a74ba02f61e2372569ddb31a70cd433f4e79ee390033d1e59ffe17fbd2f10803502297aebbdef039a2b039a17c1218c721f6e14476d1f59284d57617
Malware Config
Extracted
revengerat
poweershel
40999up.sytes.net:1515
acecervolta.duckdns.org:1515
RV_MUTEX-xgZblRvZwfRt
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/912-55-0x0000000000700000-0x000000000070A000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outlookengimesP.lnk 94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad.exedescription pid process Token: SeDebugPrivilege 912 94d9cfda3e2a60aea012b0948c9f9eaf55d1f7d90fb1bc9e9c094a3a064669ad.exe