Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2023 09:26
Static task
static1
Behavioral task
behavioral1
Sample
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe
Resource
win10v2004-20230220-en
General
-
Target
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe
-
Size
600KB
-
MD5
628e9b3aa525960223fd93bae86b5e7d
-
SHA1
906713e97ce6618590ea72f5633416730a0a7317
-
SHA256
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb
-
SHA512
31b2bcbea386c883331057db445cf68dc7eebb065deced483f149408528aadfa3b405f4efd06b8ac73cf237592f7142cc35ad88e149d532e4c9bc86c038f7550
-
SSDEEP
12288:nUG2pBoy4QQbDRfEk9Iz/rduerdgpjtDNzNpEsRkP7mHqx9bsejWgsWsHQb0Awwc:VuBoyw
Malware Config
Extracted
revengerat
Guest
127.0.0.1:333
127.0.0.1:37734
127.0.0.1:12792
songs-travel.at.ply.gg:333
songs-travel.at.ply.gg:37734
songs-travel.at.ply.gg:12792
tcp://5.tcp.eu.ngrok.io:333
tcp://5.tcp.eu.ngrok.io:37734
tcp://5.tcp.eu.ngrok.io:12792
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\417379.exe revengerat C:\Users\Admin\AppData\Local\417379.exe revengerat C:\Users\Admin\AppData\Local\417379.exe revengerat behavioral1/memory/4384-211-0x0000000000E00000-0x0000000000E08000-memory.dmp revengerat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe -
Drops startup file 1 IoCs
Processes:
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Updater.lnk a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe -
Executes dropped EXE 1 IoCs
Processes:
417379.exepid process 4384 417379.exe -
Loads dropped DLL 5 IoCs
Processes:
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exepid process 2776 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe 2776 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe 2776 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe 2776 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe 2776 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe417379.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 417379.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 417379.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe417379.exedescription pid process Token: SeDebugPrivilege 2776 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe Token: SeDebugPrivilege 4384 417379.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exedescription pid process target process PID 2776 wrote to memory of 4384 2776 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe 417379.exe PID 2776 wrote to memory of 4384 2776 a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe 417379.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe"C:\Users\Admin\AppData\Local\Temp\a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe"1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\417379.exe"C:\Users\Admin\AppData\Local\417379.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\417379.exeFilesize
17KB
MD5655f6edee75a4cc49a8fa34567037da9
SHA19ff2fc0ccc94230411c3f1507c648867e2306f14
SHA2566481f9e27bec4cf6702b6d6a09761c62782f5010da0dfd0a396575c60200279d
SHA51269754378ec7480c708aa3b7e979d0ec465b3e499e811d4a89ff1d5b863f7a796f8d5893fdcc90831c1374dd63782de3d02a06934564ddd1406fcbce98c63d89b
-
C:\Users\Admin\AppData\Local\417379.exeFilesize
17KB
MD5655f6edee75a4cc49a8fa34567037da9
SHA19ff2fc0ccc94230411c3f1507c648867e2306f14
SHA2566481f9e27bec4cf6702b6d6a09761c62782f5010da0dfd0a396575c60200279d
SHA51269754378ec7480c708aa3b7e979d0ec465b3e499e811d4a89ff1d5b863f7a796f8d5893fdcc90831c1374dd63782de3d02a06934564ddd1406fcbce98c63d89b
-
C:\Users\Admin\AppData\Local\417379.exeFilesize
17KB
MD5655f6edee75a4cc49a8fa34567037da9
SHA19ff2fc0ccc94230411c3f1507c648867e2306f14
SHA2566481f9e27bec4cf6702b6d6a09761c62782f5010da0dfd0a396575c60200279d
SHA51269754378ec7480c708aa3b7e979d0ec465b3e499e811d4a89ff1d5b863f7a796f8d5893fdcc90831c1374dd63782de3d02a06934564ddd1406fcbce98c63d89b
-
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dllFilesize
451KB
MD56ded8fcbf5f1d9e422b327ca51625e24
SHA18a1140cebc39f6994eef7e8de4627fb7b72a2dd9
SHA2563b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
SHA512bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
memory/2776-179-0x000000000DD30000-0x000000000DDA8000-memory.dmpFilesize
480KB
-
memory/2776-150-0x000000000B5B0000-0x000000000BB54000-memory.dmpFilesize
5.6MB
-
memory/2776-174-0x000000000DCC0000-0x000000000DD26000-memory.dmpFilesize
408KB
-
memory/2776-133-0x00000000004B0000-0x000000000054E000-memory.dmpFilesize
632KB
-
memory/2776-162-0x000000000CDF0000-0x000000000CE2C000-memory.dmpFilesize
240KB
-
memory/2776-152-0x000000000C450000-0x000000000C612000-memory.dmpFilesize
1.8MB
-
memory/2776-156-0x000000000C7D0000-0x000000000C832000-memory.dmpFilesize
392KB
-
memory/2776-194-0x000000000DEE0000-0x000000000DEFE000-memory.dmpFilesize
120KB
-
memory/2776-202-0x0000000002A60000-0x0000000002A70000-memory.dmpFilesize
64KB
-
memory/2776-173-0x000000000DC40000-0x000000000DCB6000-memory.dmpFilesize
472KB
-
memory/2776-149-0x000000000AF60000-0x000000000AFF2000-memory.dmpFilesize
584KB
-
memory/2776-134-0x0000000002A60000-0x0000000002A70000-memory.dmpFilesize
64KB
-
memory/4384-211-0x0000000000E00000-0x0000000000E08000-memory.dmpFilesize
32KB
-
memory/4384-212-0x000000001C460000-0x000000001C92E000-memory.dmpFilesize
4.8MB
-
memory/4384-213-0x0000000001850000-0x00000000018F6000-memory.dmpFilesize
664KB
-
memory/4384-214-0x0000000001900000-0x0000000001910000-memory.dmpFilesize
64KB
-
memory/4384-215-0x000000001BF10000-0x000000001BF72000-memory.dmpFilesize
392KB
-
memory/4384-216-0x0000000001900000-0x0000000001910000-memory.dmpFilesize
64KB