Overview

overview

10

Static

static

10

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sample.exe

  • Size

    6.3MB

  • Sample

    230324-zyvzbshd59

  • MD5

    c5312ef3c2394517918f27aeec8b97b3

  • SHA1

    9f49b322a92a3ce3914aaf30f6c8163b987ec678

  • SHA256

    3cf32b77fcb1783f3c5dbbf82bf6630618691f3d51dadd015a9fd43e92d7bc6d

  • SHA512

    13e6b5461d165d217a48f63052ada527b16bb9be4e1e68adf53ba2d8b895ca292e8301a86ca0d091c1449242375d069a19f5adc81bb4509d903a1a74c589fd27

  • SSDEEP

    196608:hgcWmJcIhc9dDxt7xhw5ZV983405QYtsTEB08T8HehLvkU:7CLdltlhaZHwVdfB08TOeh9

Score
10/10
revengeratsystem serviceevasionpersistencespywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

revengerat

Botnet

System Service

C2

anonymous83.ddns.net:4040

Mutex

RV_MUTEX-nawrHJfWfhaRC

Targets

    • Target

      sample.exe

    • Size

      6.3MB

    • MD5

      c5312ef3c2394517918f27aeec8b97b3

    • SHA1

      9f49b322a92a3ce3914aaf30f6c8163b987ec678

    • SHA256

      3cf32b77fcb1783f3c5dbbf82bf6630618691f3d51dadd015a9fd43e92d7bc6d

    • SHA512

      13e6b5461d165d217a48f63052ada527b16bb9be4e1e68adf53ba2d8b895ca292e8301a86ca0d091c1449242375d069a19f5adc81bb4509d903a1a74c589fd27

    • SSDEEP

      196608:hgcWmJcIhc9dDxt7xhw5ZV983405QYtsTEB08T8HehLvkU:7CLdltlhaZHwVdfB08TOeh9

    Score
    10/10
    revengeratsystem serviceevasionpersistencespywarestealertrojanvmprotectupx

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • RevengeRat Executable

      stealer

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

8
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

7
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks