Analysis
-
max time kernel
149s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
Resource
win10v2004-20220414-en
General
-
Target
4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
-
Size
819KB
-
MD5
5b9dd49ffe63a9cc638f28383cacac8f
-
SHA1
6ea781eb54e023b9dc06599be6349cb7c7eb8a37
-
SHA256
4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118
-
SHA512
abdb1b0f3b18c8a85b5b3bd7dced382408cf0f37aa47dfc622546b793e17f5629f475666c399e0eafbc16c94368b1a727e6bdbaf104f00df2b9e04910662a36f
Malware Config
Extracted
revengerat
BABAYAGA
condor777.chickenkiller.com:1604
EZlNApdygPhSv
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2268-133-0x0000000000400000-0x0000000000408000-memory.dmp revengerat -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxXxwFIf\ = "C:\\rxXxwFIf\\uIDSYFqn.exe" 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe Key created \Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exedescription pid process target process PID 3316 set thread context of 2268 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe regasm.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exepid process 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
regasm.exedescription pid process Token: SeDebugPrivilege 2268 regasm.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exedescription pid process target process PID 3316 wrote to memory of 2268 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe regasm.exe PID 3316 wrote to memory of 2268 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe regasm.exe PID 3316 wrote to memory of 2268 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe regasm.exe PID 3316 wrote to memory of 2268 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe regasm.exe PID 3316 wrote to memory of 2268 3316 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe regasm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe"C:\Users\Admin\AppData\Local\Temp\4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2268-132-0x0000000000000000-mapping.dmp
-
memory/2268-133-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2268-135-0x00000000745E0000-0x0000000074B91000-memory.dmpFilesize
5.7MB
-
memory/2268-136-0x00000000745E0000-0x0000000074B91000-memory.dmpFilesize
5.7MB
-
memory/3316-130-0x0000000002560000-0x0000000002655000-memory.dmpFilesize
980KB
-
memory/3316-131-0x0000000002560000-0x0000000002655000-memory.dmpFilesize
980KB
-
memory/3316-134-0x0000000002560000-0x0000000002655000-memory.dmpFilesize
980KB