Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 09:29
Static task
static1
Behavioral task
behavioral1
Sample
e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe
Resource
win10v2004-20220414-en
General
-
Target
e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe
-
Size
81KB
-
MD5
f44f71fbbb725def604dc7681163d7c3
-
SHA1
a270d1637bb509f72de959461286421ace9cc7e7
-
SHA256
e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf
-
SHA512
4c366b0162f3949e5c62c744d4fd62d43dc8e07f9177c2bd25484ea9e43d714ddf46ff5af5192d7dacad04fd826d59a55ed2871dd318b307333abfcaa0edfd36
Malware Config
Extracted
revengerat
PAULINHAAA
4099.ddns.net:1515
popup.duckdns.org:1515
RV_MUTEX-NNHuiGGjjtnxD
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-55-0x00000000003F0000-0x00000000003F8000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OFFICEYO0049.URL e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exedescription pid process Token: SeDebugPrivilege 1944 e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe"C:\Users\Admin\AppData\Local\Temp\e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe"1⤵
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken