Overview

overview

10

Static

static

10

3f5d94ceb5...e7.exe

windows7_x64

10

3f5d94ceb5...e7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    01-07-2022 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe

  • Size

    17KB

  • MD5

    1098d8e6429779b56a6b6a542cd3bc11

  • SHA1

    73f6b9c7b6cf16d2abdf3a6ec06b0ac2aeb62af5

  • SHA256

    3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7

  • SHA512

    825a655df4440f3f4a072fe0ff4ab5d237cae5f3485d3bd51ce8053bf336aa4286f0e16d796e83c40c99d236cbe08c54b6914e34a5b307968d3d3fb88aa977a0

Score
10/10
revengeratthe newstealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

The New

C2

wowhu.zapto.org:5550

wowhu.zapto.org:5551

wowhu.zapto.org:5552

wowhu.zapto.org:5553

wowhu.zapto.org:5554

wowhu.zapto.org:5555

haxballfc.ddns.net:5550

haxballfc.ddns.net:5551

haxballfc.ddns.net:5552

haxballfc.ddns.net:5553

haxballfc.ddns.net:5554

haxballfc.ddns.net:5555

linkshosts.ddns.net:5550

linkshosts.ddns.net:5551

linkshosts.ddns.net:5552

linkshosts.ddns.net:5553

linkshosts.ddns.net:5554

linkshosts.ddns.net:5555

gaminghost.ddns.net:5550

gaminghost.ddns.net:5551
Mutex

RV_MUTEX-IPcYBGldGoFYE

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 2 IoCs
    stealer
  • Executes dropped EXE 1 IoCs
  • Drops startup file 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe
    "C:\Users\Admin\AppData\Local\Temp\3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe"
    1⤵
    • Drops startup file
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe
    Filesize

    17KB

    MD5

    1098d8e6429779b56a6b6a542cd3bc11

    SHA1

    73f6b9c7b6cf16d2abdf3a6ec06b0ac2aeb62af5

    SHA256

    3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7

    SHA512

    825a655df4440f3f4a072fe0ff4ab5d237cae5f3485d3bd51ce8053bf336aa4286f0e16d796e83c40c99d236cbe08c54b6914e34a5b307968d3d3fb88aa977a0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe
    Filesize

    17KB

    MD5

    1098d8e6429779b56a6b6a542cd3bc11

    SHA1

    73f6b9c7b6cf16d2abdf3a6ec06b0ac2aeb62af5

    SHA256

    3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7

    SHA512

    825a655df4440f3f4a072fe0ff4ab5d237cae5f3485d3bd51ce8053bf336aa4286f0e16d796e83c40c99d236cbe08c54b6914e34a5b307968d3d3fb88aa977a0

    Download Submit
  • memory/748-54-0x000007FEF4380000-0x000007FEF4DA3000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/748-55-0x000007FEEEAC0000-0x000007FEEFB56000-memory.dmp
    Filesize

    16.6MB

    Download
  • memory/748-56-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1988-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-60-0x000007FEF5260000-0x000007FEF5C83000-memory.dmp
    Filesize

    10.1MB

    Download
  • memory/1988-61-0x000007FEEDA20000-0x000007FEEEAB6000-memory.dmp
    Filesize

    16.6MB

    Download