General

  • Target

    336A4B6F945E79E683E1D1D0CF1EDAA2F41AB0A5DCC96.exe

  • Size

    2.1MB

  • Sample

    220731-jh4crsfhbl

  • MD5

    8a482533fe2e91bf1542fd9568774473

  • SHA1

    f4d1c1c3e8ac828ffd3675a7590590d856473c87

  • SHA256

    336a4b6f945e79e683e1d1d0cf1edaa2f41ab0a5dcc96ed1bd56557d8eda4cc6

  • SHA512

    31e2645a70a7fa3e248465a00d8310a9e93bb7665f4e1d9171e2983b4d0272b79dde5b56b5edbb559662ff36c2db6133a68c346a3c8ca67540e94c4ad658b36d

Malware Config

Targets

    • Target

      336A4B6F945E79E683E1D1D0CF1EDAA2F41AB0A5DCC96.exe

    • Size

      2.1MB

    • MD5

      8a482533fe2e91bf1542fd9568774473

    • SHA1

      f4d1c1c3e8ac828ffd3675a7590590d856473c87

    • SHA256

      336a4b6f945e79e683e1d1d0cf1edaa2f41ab0a5dcc96ed1bd56557d8eda4cc6

    • SHA512

      31e2645a70a7fa3e248465a00d8310a9e93bb7665f4e1d9171e2983b4d0272b79dde5b56b5edbb559662ff36c2db6133a68c346a3c8ca67540e94c4ad658b36d

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • RevengeRat Executable

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks