Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 05:11
Static task
static1
Behavioral task
behavioral1
Sample
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
Resource
win10v2004-20220414-en
General
-
Target
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
-
Size
345KB
-
MD5
625c5be82cb33b45e21c521995e543f7
-
SHA1
acf0d26d067696b2c93015e83b3811cf96f90510
-
SHA256
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea
-
SHA512
351ee2bcfeeb91de93081fe763a20b99b0e9493db6fda8eee0de336b6a963610dd5b8160b32490c06dd53f6b1aaab1be4e8ed6da79338c57b53df7389d35cd06
Malware Config
Extracted
revengerat
CEO
192.168.1.4:666
192.168.1.4:1716
netking.duckdns.org:666
netking.duckdns.org:1716
RV_MUTEX-LuSAtYBxGgZH
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4588-142-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Drops startup file 1 IoCs
Processes:
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VEOOqq.url 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exedescription pid process target process PID 4528 set thread context of 4588 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exepid process 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe Token: SeDebugPrivilege 4588 RegAsm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.execsc.exedescription pid process target process PID 4528 wrote to memory of 1532 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe csc.exe PID 4528 wrote to memory of 1532 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe csc.exe PID 4528 wrote to memory of 1532 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe csc.exe PID 1532 wrote to memory of 4640 1532 csc.exe cvtres.exe PID 1532 wrote to memory of 4640 1532 csc.exe cvtres.exe PID 1532 wrote to memory of 4640 1532 csc.exe cvtres.exe PID 4528 wrote to memory of 4588 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe RegAsm.exe PID 4528 wrote to memory of 4588 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe RegAsm.exe PID 4528 wrote to memory of 4588 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe RegAsm.exe PID 4528 wrote to memory of 4588 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe RegAsm.exe PID 4528 wrote to memory of 4588 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe RegAsm.exe PID 4528 wrote to memory of 4588 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe RegAsm.exe PID 4528 wrote to memory of 4588 4528 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe"C:\Users\Admin\AppData\Local\Temp\3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB059.tmp" "c:\Users\Admin\AppData\Local\Temp\jdalg1fk\CSCAC25AE9DD69E4C6FB2CB234DD6299D7A.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RESB059.tmpFilesize
1KB
MD5661dfb464d75e3b5779eda07abaac86e
SHA1551ca50088c651b2ff961af43aca8fa34ff885d8
SHA256d4caeba836abcde9b16470086834847515d1692379188bcd90eb12fe8db83df9
SHA5129e02b273ce30736122aadedc2859aeef8d9a2ee75decd17b45fa24a827c378d892885d6dc8423eae2620365c239a02e4d72f1e0b12721e8d334d7a04747efd0c
-
C:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.dllFilesize
6KB
MD5a8f440271f13c3ca30974609931bd3db
SHA1418cb63f5591542527781c5771be95b45cab538d
SHA2569de4f1f37c94c3cba39f5134dd1c46b71f0ad02b6f60e61bbf7b73b9521f46d3
SHA51219ed717670a2c225b922809e13671a7a5079f0fe12a2c29a06100cf5f76d2787db562cd11dd1fc73cc3b1bd9d20ff974badf88595def012453d8d2a70e1a07a7
-
C:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.pdbFilesize
15KB
MD5d64018ab5d8306ba25345f4ceb6d244a
SHA14bdadad5d51a0125d2e83397558950504863d9e5
SHA25697b370b2397082be7b6e562d70f0fa327d9dad60b578c0292f5527afc9a18eec
SHA51288ca064c6c56c0a80fcc5824eec7054d3505d2d86ec7112bc97b11c3c2068c23148ccfb34c0fa73e73a65f4419a7a3d5ba1d8aa2ae7696d2d6c0151211c3d201
-
\??\c:\Users\Admin\AppData\Local\Temp\jdalg1fk\CSCAC25AE9DD69E4C6FB2CB234DD6299D7A.TMPFilesize
1KB
MD56eae8ca50c27fe18c4b5af2584aecf42
SHA18ba11aed44b5a959f443ef6af3e2005da3a57c8a
SHA256a5c373ef7a8ef9d5a3b20f2a47b0dc5508b203fdcd72444d622ce50743096744
SHA512744418c948dcee775587ea89793a8b609d5d355aff3c6f0c841f65e8278d06155301e031778b28d657ff27f28005bd954aed4486855355cd96f49e8eaca5c512
-
\??\c:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.0.csFilesize
2KB
MD5898702ed72ed760606b16ba1b0127af4
SHA154def04d7ddf5c2816e6f76b032be192aea661ef
SHA2564171994b6dd8dd4a5814d5f749041f03075d9f1e178f544804ff564d68396c1a
SHA51241522d3986701e7e253c308dc3a904f153b943874b78d89d87f466861e2f7598a3d46edbd63aadd3f6c6bed996185584ec3f027edba3eb3a98862ac35511da4f
-
\??\c:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.cmdlineFilesize
312B
MD55c2fd49f8df7350919b2b51b20296471
SHA105fa831b6ae714205b4a78ebafb23c7e34e50273
SHA2563b9ea422592fe0aa8b51218e037e7550ce65d494dfab4e7708919c1a391fea11
SHA512207027fba2a19ea9e815e21601858e7789eb9cc435abf94f4caf664c526ea65c9440b4f1f05c5e2ad5b441a506fb1f3d70a54f8c74ca177bfdb86c8c24efec78
-
memory/1532-131-0x0000000000000000-mapping.dmp
-
memory/4528-130-0x0000000000580000-0x00000000005C4000-memory.dmpFilesize
272KB
-
memory/4528-139-0x0000000004F40000-0x0000000004FD2000-memory.dmpFilesize
584KB
-
memory/4528-140-0x0000000005460000-0x00000000054FC000-memory.dmpFilesize
624KB
-
memory/4588-141-0x0000000000000000-mapping.dmp
-
memory/4588-142-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/4588-143-0x0000000071250000-0x0000000071801000-memory.dmpFilesize
5.7MB
-
memory/4588-144-0x0000000071250000-0x0000000071801000-memory.dmpFilesize
5.7MB
-
memory/4640-134-0x0000000000000000-mapping.dmp