Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-02-2023 15:46
Static task
static1
Behavioral task
behavioral1
Sample
stealer30.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
stealer30.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
stealer30.exe
-
Size
373KB
-
MD5
70d717a07a6df0db8fa222a5719c1ccd
-
SHA1
71dd5d3f838e2f869cca3aaf186c60aeb05bd682
-
SHA256
4acc7393b942c7c331ef0d08dc20000177adbe93f7a5202af14735b148c432f7
-
SHA512
cd83260c5b5891815907fb8b18383d8428c7d77a5c8af0556aaa8036e7dc2026c1e268506df86385dc8a2cb7d776b700b638adbf79b4d393a331b6d6e85cb250
-
SSDEEP
6144:wsNJZA19r/SpqYYn/70nFIyUveIh6i2AgVv0Io9J:b/i9T07YD0XF+n
Score
10/10
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1056-63-0x0000000000400000-0x0000000000414000-memory.dmp revengerat behavioral1/memory/1056-62-0x0000000000400000-0x0000000000414000-memory.dmp revengerat behavioral1/memory/1056-61-0x0000000000400000-0x0000000000414000-memory.dmp revengerat behavioral1/memory/1056-64-0x000000000040E8FE-mapping.dmp revengerat behavioral1/memory/1056-66-0x0000000000400000-0x0000000000414000-memory.dmp revengerat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
stealer30.exedescription pid process target process PID 1120 set thread context of 1056 1120 stealer30.exe stealer30.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
stealer30.exestealer30.exedescription pid process Token: SeDebugPrivilege 1120 stealer30.exe Token: SeDebugPrivilege 1056 stealer30.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
stealer30.exedescription pid process target process PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe PID 1120 wrote to memory of 1056 1120 stealer30.exe stealer30.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\stealer30.exe"C:\Users\Admin\AppData\Local\Temp\stealer30.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\stealer30.exe"C:\Users\Admin\AppData\Local\Temp\stealer30.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1056-58-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1056-63-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1056-62-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1056-61-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1056-59-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1056-64-0x000000000040E8FE-mapping.dmp
-
memory/1056-66-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1120-54-0x0000000000CA0000-0x0000000000D02000-memory.dmpFilesize
392KB
-
memory/1120-55-0x00000000004B0000-0x00000000004C6000-memory.dmpFilesize
88KB
-
memory/1120-56-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/1120-57-0x00000000005D0000-0x00000000005D8000-memory.dmpFilesize
32KB