Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
23-03-2023 02:00
General
-
Target
Lotus.exe
-
Size
136KB
-
MD5
b9d014296827c8d325ba1e1b0f4b2793
-
SHA1
8749106256cdca0d200f76728d0a873dd13c22e9
-
SHA256
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
-
SHA512
6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
SSDEEP
3072:rssOu1QbkQzxsf9vIyqhSJTibjMJGEA1u4B+:rsslkkQMvqUibg8EEj+
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 14 IoCs
-
Drops startup file 7 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lotus.exe"C:\Users\Admin\AppData\Local\Temp\Lotus.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nvkzenv5.cmdline"5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3861.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3850.tmp"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Hello World!','Hello!',0,64)5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DvZwfRt.txtFilesize
87B
MD52a6ee4a9550faca67c3f52db9c36e52e
SHA1de5987bfbc5ac07bc85702f17981c144543609e7
SHA256e44b97a36d3b21761662ac9b751c5bfe3d335fba75314b33a2d0914f59065e19
SHA512d918830524cff5ba2afc681c9f12f7e91a8377e3c176ff66090a99339f1ecd8fe034d206772652c209e9d3b140592d05b5e86824f80c6af2785506dd8e618518
-
C:\Users\Admin\AppData\Local\Temp\DvZwfRt.txtFilesize
43B
MD5bfe2e72ed39cc1985e58d6b6359279d7
SHA120b4ec4ef6cfda3a1f33f3193c0ba4ed8105755d
SHA25631c9c3b89067d95d798713d594a17ea051d0c469c9b189ca48e39704464531f2
SHA512940c7a6cda11e79a4d229bcd45624089f0f5f83ef80ccabcc8eaa83b83a7f5019fd960e5be70fabe464d08237f13287faf603704efb2e8efc2449982096a3c94
-
C:\Users\Admin\AppData\Local\Temp\RES3861.tmpFilesize
1KB
MD564810a46c1b3d28b3897c576cd319dc4
SHA12f83789e41c480652c059a57be88284992147a05
SHA2563322b637eabfed7fb950c30e37ef84fb14f4988d67fb1459ad9408e1cbbcc305
SHA5129a579f2c7024f7fdf06bc198ba279ec26976fa3984396b0743fff6a70c216d564b26bb4c8d562ac458cf924e975331d65b78e16bee76b6e3547acb343bdf7ca0
-
C:\Users\Admin\AppData\Local\Temp\nvkzenv5.0.vbFilesize
196B
MD5803499f1d5ca92d8ce1907b2821ece7b
SHA182203fef93304ac6e1fef0e8ec8246abeeb333e7
SHA2563c768cd5c2d854526a3fefbac61f33ecdb7b0165a559137d62b5bd810bbffee5
SHA5122ce8484bae3eb1df72bd57c9eaf9f33d85bac22bdfad87180b5ba6e52d2a3b39b3b29c0379052696ae2509dc9006422e508d7431264d6a067d564be3eee930f6
-
C:\Users\Admin\AppData\Local\Temp\nvkzenv5.cmdlineFilesize
194B
MD5d47adf94bf34e954468baee6697c33b0
SHA1bdd8cda12bd2949a001ef63f1cc58e315f0b61b7
SHA2565a24fa163ae5d74f4258c8318b7d70169020e5bdcd162d14c005c5f5ff5b441a
SHA51212ffa906cf6ab539e32f014343fb491d682e6cdb9fe392ae2fa27f27ca0053c4987c1e2ed33e6d75b7a5bf67af9b1cea56005cb6aab6c0daf0571d30b6941dff
-
C:\Users\Admin\AppData\Local\Temp\vbc3850.tmpFilesize
644B
MD523c5f6c5bb4e5de59ec5aa884ea098d3
SHA17240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83
SHA2567e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27
SHA512bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
memory/1328-137-0x00000000023A0000-0x00000000023E0000-memory.dmpFilesize
256KB
-
memory/1328-136-0x00000000023A0000-0x00000000023E0000-memory.dmpFilesize
256KB
-
memory/1636-71-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1636-74-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1636-70-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1636-69-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1636-77-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1636-79-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1636-72-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1808-110-0x00000000001E0000-0x0000000000220000-memory.dmpFilesize
256KB
-
memory/1808-111-0x00000000001E0000-0x0000000000220000-memory.dmpFilesize
256KB
-
memory/1808-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1808-98-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1868-109-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1868-107-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1968-68-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1968-81-0x00000000004C0000-0x0000000000500000-memory.dmpFilesize
256KB
-
memory/1968-55-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1968-80-0x00000000004C0000-0x0000000000500000-memory.dmpFilesize
256KB
-
memory/1968-65-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1968-62-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1968-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1968-59-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1968-58-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1968-57-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1968-56-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB