General

  • Target

    a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb

  • Size

    600KB

  • Sample

    230310-leddaace69

  • MD5

    628e9b3aa525960223fd93bae86b5e7d

  • SHA1

    906713e97ce6618590ea72f5633416730a0a7317

  • SHA256

    a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb

  • SHA512

    31b2bcbea386c883331057db445cf68dc7eebb065deced483f149408528aadfa3b405f4efd06b8ac73cf237592f7142cc35ad88e149d532e4c9bc86c038f7550

  • SSDEEP

    12288:nUG2pBoy4QQbDRfEk9Iz/rduerdgpjtDNzNpEsRkP7mHqx9bsejWgsWsHQb0Awwc:VuBoyw

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:333

127.0.0.1:37734

127.0.0.1:12792

songs-travel.at.ply.gg:333

songs-travel.at.ply.gg:37734

songs-travel.at.ply.gg:12792

tcp://5.tcp.eu.ngrok.io:333

tcp://5.tcp.eu.ngrok.io:37734

tcp://5.tcp.eu.ngrok.io:12792

Mutex

RV_MUTEX

Targets

    • Target

      a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb

    • Size

      600KB

    • MD5

      628e9b3aa525960223fd93bae86b5e7d

    • SHA1

      906713e97ce6618590ea72f5633416730a0a7317

    • SHA256

      a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb

    • SHA512

      31b2bcbea386c883331057db445cf68dc7eebb065deced483f149408528aadfa3b405f4efd06b8ac73cf237592f7142cc35ad88e149d532e4c9bc86c038f7550

    • SSDEEP

      12288:nUG2pBoy4QQbDRfEk9Iz/rduerdgpjtDNzNpEsRkP7mHqx9bsejWgsWsHQb0Awwc:VuBoyw

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • RevengeRat Executable

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks