General

  • Target

    c51ddb34c1a0bcd8af4829d8a54c4341.exe

  • Size

    140KB

  • Sample

    220906-qlvncsafdk

  • MD5

    c51ddb34c1a0bcd8af4829d8a54c4341

  • SHA1

    84860f90d7c7344a315e9ddc176d8e4a966ad7ad

  • SHA256

    880ac454f385019390e07ff3f7e1986ffb806951413d6d3774df9ba57a4fe8af

  • SHA512

    924bd3791a353328e7b946b846b02279bb588c6e7f0ba88d9579e320a343f4572d9a773bd92ef520c562e6c5a5e156108b6d865537bdacb01bbe006d64756a17

  • SSDEEP

    3072:aMSncRzAO/5XRUAoVFwkIV35QWYBkU+KbRMcP+MQWv:5SncRlBS9VTkYiU+KbR7j

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

194.5.179.83:4040

127.0.0.1:4040

Mutex

RV_MUTEX

Targets

    • Target

      c51ddb34c1a0bcd8af4829d8a54c4341.exe

    • Size

      140KB

    • MD5

      c51ddb34c1a0bcd8af4829d8a54c4341

    • SHA1

      84860f90d7c7344a315e9ddc176d8e4a966ad7ad

    • SHA256

      880ac454f385019390e07ff3f7e1986ffb806951413d6d3774df9ba57a4fe8af

    • SHA512

      924bd3791a353328e7b946b846b02279bb588c6e7f0ba88d9579e320a343f4572d9a773bd92ef520c562e6c5a5e156108b6d865537bdacb01bbe006d64756a17

    • SSDEEP

      3072:aMSncRzAO/5XRUAoVFwkIV35QWYBkU+KbRMcP+MQWv:5SncRlBS9VTkYiU+KbR7j

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • RevengeRat Executable

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks