Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2023 09:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe

  • Size

    600KB

  • MD5

    628e9b3aa525960223fd93bae86b5e7d

  • SHA1

    906713e97ce6618590ea72f5633416730a0a7317

  • SHA256

    a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb

  • SHA512

    31b2bcbea386c883331057db445cf68dc7eebb065deced483f149408528aadfa3b405f4efd06b8ac73cf237592f7142cc35ad88e149d532e4c9bc86c038f7550

  • SSDEEP

    12288:nUG2pBoy4QQbDRfEk9Iz/rduerdgpjtDNzNpEsRkP7mHqx9bsejWgsWsHQb0Awwc:VuBoyw

Score
10/10
revengeratguestspywarestealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:333

127.0.0.1:37734

127.0.0.1:12792

songs-travel.at.ply.gg:333

songs-travel.at.ply.gg:37734

songs-travel.at.ply.gg:12792

tcp://5.tcp.eu.ngrok.io:333

tcp://5.tcp.eu.ngrok.io:37734

tcp://5.tcp.eu.ngrok.io:12792
Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 4 IoCs
    stealer
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe
    "C:\Users\Admin\AppData\Local\Temp\a050521e44bf504fe73e220798b66ce91259238fbcb1b04e206f5a78959e5aeb.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Users\Admin\AppData\Local\417379.exe
      "C:\Users\Admin\AppData\Local\417379.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\417379.exe
    Filesize

    17KB

    MD5

    655f6edee75a4cc49a8fa34567037da9

    SHA1

    9ff2fc0ccc94230411c3f1507c648867e2306f14

    SHA256

    6481f9e27bec4cf6702b6d6a09761c62782f5010da0dfd0a396575c60200279d

    SHA512

    69754378ec7480c708aa3b7e979d0ec465b3e499e811d4a89ff1d5b863f7a796f8d5893fdcc90831c1374dd63782de3d02a06934564ddd1406fcbce98c63d89b

    Download Submit
  • C:\Users\Admin\AppData\Local\417379.exe
    Filesize

    17KB

    MD5

    655f6edee75a4cc49a8fa34567037da9

    SHA1

    9ff2fc0ccc94230411c3f1507c648867e2306f14

    SHA256

    6481f9e27bec4cf6702b6d6a09761c62782f5010da0dfd0a396575c60200279d

    SHA512

    69754378ec7480c708aa3b7e979d0ec465b3e499e811d4a89ff1d5b863f7a796f8d5893fdcc90831c1374dd63782de3d02a06934564ddd1406fcbce98c63d89b

    Download Submit
  • C:\Users\Admin\AppData\Local\417379.exe
    Filesize

    17KB

    MD5

    655f6edee75a4cc49a8fa34567037da9

    SHA1

    9ff2fc0ccc94230411c3f1507c648867e2306f14

    SHA256

    6481f9e27bec4cf6702b6d6a09761c62782f5010da0dfd0a396575c60200279d

    SHA512

    69754378ec7480c708aa3b7e979d0ec465b3e499e811d4a89ff1d5b863f7a796f8d5893fdcc90831c1374dd63782de3d02a06934564ddd1406fcbce98c63d89b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
    Filesize

    451KB

    MD5

    6ded8fcbf5f1d9e422b327ca51625e24

    SHA1

    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

    SHA256

    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

    SHA512

    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
    Filesize

    451KB

    MD5

    6ded8fcbf5f1d9e422b327ca51625e24

    SHA1

    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

    SHA256

    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

    SHA512

    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Ionic.Zip.dll
    Filesize

    451KB

    MD5

    6ded8fcbf5f1d9e422b327ca51625e24

    SHA1

    8a1140cebc39f6994eef7e8de4627fb7b72a2dd9

    SHA256

    3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd

    SHA512

    bda3a65133b7b1e2765c7d07c7da5103292b3c4c2f0673640428b3e7e8637b11539f06c330ab5d0ba6e2274bd2dcd2c50312be6579e75c4008ff5ae7dae34ce4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
    Filesize

    384KB

    MD5

    55c797383dbbbfe93c0fe3215b99b8ec

    SHA1

    1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

    SHA256

    5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

    SHA512

    648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
    Filesize

    384KB

    MD5

    55c797383dbbbfe93c0fe3215b99b8ec

    SHA1

    1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

    SHA256

    5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

    SHA512

    648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
    Filesize

    1.3MB

    MD5

    8be215abf1f36aa3d23555a671e7e3be

    SHA1

    547d59580b7843f90aaca238012a8a0c886330e6

    SHA256

    83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

    SHA512

    38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

    Download Submit
  • memory/2776-179-0x000000000DD30000-0x000000000DDA8000-memory.dmp
    Filesize

    480KB

    Download
  • memory/2776-150-0x000000000B5B0000-0x000000000BB54000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2776-174-0x000000000DCC0000-0x000000000DD26000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2776-133-0x00000000004B0000-0x000000000054E000-memory.dmp
    Filesize

    632KB

    Download
  • memory/2776-162-0x000000000CDF0000-0x000000000CE2C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2776-152-0x000000000C450000-0x000000000C612000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/2776-156-0x000000000C7D0000-0x000000000C832000-memory.dmp
    Filesize

    392KB

    Download
  • memory/2776-194-0x000000000DEE0000-0x000000000DEFE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2776-202-0x0000000002A60000-0x0000000002A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2776-173-0x000000000DC40000-0x000000000DCB6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2776-149-0x000000000AF60000-0x000000000AFF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2776-134-0x0000000002A60000-0x0000000002A70000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4384-211-0x0000000000E00000-0x0000000000E08000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4384-212-0x000000001C460000-0x000000001C92E000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/4384-213-0x0000000001850000-0x00000000018F6000-memory.dmp
    Filesize

    664KB

    Download
  • memory/4384-214-0x0000000001900000-0x0000000001910000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4384-215-0x000000001BF10000-0x000000001BF72000-memory.dmp
    Filesize

    392KB

    Download
  • memory/4384-216-0x0000000001900000-0x0000000001910000-memory.dmp
    Filesize

    64KB

    Download