Analysis
-
max time kernel
148s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 00:37
Static task
static1
Behavioral task
behavioral1
Sample
370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe
Resource
win10v2004-20220414-en
General
-
Target
370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe
-
Size
34KB
-
MD5
8223ed91a842abd590bf94d3547648ca
-
SHA1
16911011bfd074c1e94feedf3099b7588bf64772
-
SHA256
370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878
-
SHA512
fff0c118ee8c2d32e88587d485b5ff8c2a67c516d4926fb84af4e99eacd7f8fb34e0732fb536bf51efd4ccc7554c45044e5c5945720700bd8f8ba8d9b2a29a1e
Malware Config
Extracted
revengerat
Guest
bdder2004.myddns.me:9999
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1880-57-0x0000000000940000-0x000000000094A000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
vbc.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exedescription pid process Token: SeDebugPrivilege 1880 370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exevbc.exedescription pid process target process PID 1880 wrote to memory of 828 1880 370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe vbc.exe PID 1880 wrote to memory of 828 1880 370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe vbc.exe PID 1880 wrote to memory of 828 1880 370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe vbc.exe PID 1880 wrote to memory of 828 1880 370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe vbc.exe PID 828 wrote to memory of 1224 828 vbc.exe cvtres.exe PID 828 wrote to memory of 1224 828 vbc.exe cvtres.exe PID 828 wrote to memory of 1224 828 vbc.exe cvtres.exe PID 828 wrote to memory of 1224 828 vbc.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe"C:\Users\Admin\AppData\Local\Temp\370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l1etyt55\l1etyt55.cmdline"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcECB3CDDB81A24992869EB1B2503E3BE0.TMP"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5E18.tmpFilesize
1KB
MD51a0841bbc9a46a79805a785650f44495
SHA17f8178bcd6f61ec788f09b768335f1a0f301c52f
SHA2569d7e0b3ace1c251c2e40f1f00247be03b244681f8f35a0e2508b47ecc68e0d4d
SHA5129dcff9afef120f40d45a317207da8a8a9207aa2235422eb3438ad310d60d32052c7a6f812ad2c8cd4b7cdd304b8d1fb5764a80890bf0839bab577ad8469966da
-
C:\Users\Admin\AppData\Local\Temp\l1etyt55\l1etyt55.0.vbFilesize
211B
MD58bf1f067bb325b1661d32546c57e8ce6
SHA13e993c7fcf91fc17c78a5c8e23b48bd2d285c32e
SHA256348f4579b19f45c9c8a4bd1434a4641a775b728a17988d850f9f18793aa4149d
SHA51280b393f2e12f48c962bddaf34d7715af9a4deaf7c535f9ebd006033c5376395d4bf560be06a942a26ee4d9d5e99ab7bddbe72b4546ea804c4f0110bd7eeb00cb
-
C:\Users\Admin\AppData\Local\Temp\l1etyt55\l1etyt55.cmdlineFilesize
203B
MD50f4ad9dcf383b7952954f7e3d1f0d8ab
SHA1f00e08fa46d9a726e95205c40675540f79cbe63a
SHA2564413aa6d40a6944e89f965c02de776e2fd4d49cd90489c023652b2da0a9ade59
SHA5124b57f0048aaadced9cb0b65cb21d723606757b4908bb2cb389d2d1a66dd495b774ec737f22c2a5a27654c836549b94f8f6a35fbbfedaa3d8c0aec5d48492f4f4
-
C:\Users\Admin\AppData\Local\Temp\vbcECB3CDDB81A24992869EB1B2503E3BE0.TMPFilesize
1KB
MD5e9144225655a1177485a6238f397718e
SHA10618d989814312c38b8005fc469222f891470642
SHA256f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d
SHA512392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4
-
memory/828-59-0x0000000000000000-mapping.dmp
-
memory/1224-62-0x0000000000000000-mapping.dmp
-
memory/1880-54-0x0000000000D10000-0x0000000000D20000-memory.dmpFilesize
64KB
-
memory/1880-55-0x0000000075311000-0x0000000075313000-memory.dmpFilesize
8KB
-
memory/1880-56-0x0000000004C65000-0x0000000004C76000-memory.dmpFilesize
68KB
-
memory/1880-57-0x0000000000940000-0x000000000094A000-memory.dmpFilesize
40KB
-
memory/1880-58-0x0000000004C65000-0x0000000004C76000-memory.dmpFilesize
68KB