Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
24/03/2023, 21:08
General
-
Target
sample.exe
-
Size
6.3MB
-
MD5
c5312ef3c2394517918f27aeec8b97b3
-
SHA1
9f49b322a92a3ce3914aaf30f6c8163b987ec678
-
SHA256
3cf32b77fcb1783f3c5dbbf82bf6630618691f3d51dadd015a9fd43e92d7bc6d
-
SHA512
13e6b5461d165d217a48f63052ada527b16bb9be4e1e68adf53ba2d8b895ca292e8301a86ca0d091c1449242375d069a19f5adc81bb4509d903a1a74c589fd27
-
SSDEEP
196608:hgcWmJcIhc9dDxt7xhw5ZV983405QYtsTEB08T8HehLvkU:7CLdltlhaZHwVdfB08TOeh9
Malware Config
Extracted
revengerat
System Service
anonymous83.ddns.net:4040
RV_MUTEX-nawrHJfWfhaRC
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 3 IoCs
-
RevengeRat Executable 6 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
VMProtect packed file 9 IoCs
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies system certificate store 2 TTPs 9 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\PACKAGES.EXE"C:\Users\Admin\AppData\Roaming\PACKAGES.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\FINAL.EXE"C:\Users\Admin\AppData\Roaming\FINAL.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs7OohLZbYJaRSbgsdL3qHF+VKeg3jSI1WOfwSiuA/HV0pW9mgP8G3srknd2b3lBPGQ/wYBQmiQtGN1ZgtVC4saKgVIi0+sj0BECZLtzV+WpWqdHQYq1pK/EV5nF3StzFak=4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bfsvc.exeC:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1424 -s 20765⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Roaming\FINAL1.EXE"C:\Users\Admin\AppData\Roaming\FINAL1.EXE"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1548 -s 19204⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE"C:\Users\Admin\AppData\Roaming\SYSTEM SERVICE.EXE"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sjjqivzg.cmdline"3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD0A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCFA.tmp"4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
Filesize
342B
MD5c74b79fd7641a4174f72fd9983337f91
SHA1f7f01cfeba1de1bab5bef86461db673fd8f39957
SHA2560b8730aaf74c3b6f4b22c57ecd3b96033594494a1edc259cadcef33071151a77
SHA512b184ac8af1b0edf485e7b08a6aa3c825dc2da3bad06752322590d626341329d2a041a108cbb4adfd182d7fa6fb27686adb08efc4076716b07ef508ed1d5faca3
-
Filesize
342B
MD50bb48969f203c9f48701d4e59714f4ec
SHA1d843bde29a9fe1729c88aefca4207ac172f369bd
SHA25615226e4816e93eff06d83700583e7760381141a8ac12334781ccb48657504078
SHA51255c74f9a6d0cbbee1b320ea473f16e41489ca551b3107b1d7ccfef0fced0219e7b90e84cb9cc30d63c71f3a8c5609e225e34cda8830b3af7a46bcefe1bb9a661
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
1KB
MD5a1e8b610a3e501cdbd41502094eb9a7f
SHA1e11f28c7943904a4ac6983fd6fd977f2aff333ff
SHA2567d124d74a6eb7e8fe12ed9d5351104ad5144c51a75f603f6fda49cd26d4b7382
SHA51204aff02c2cc4e97bd98eecbe2ee4e05ca7fdc2485e4fa103ac46bca24e0f690ad71c955213cfce61ba1c620aeaff4a6235864d4e1b9237ce4f1a88c3c57fb83b
-
Filesize
2.8MB
MD588ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
Filesize
2.8MB
MD588ab0bb59b0b20816a833ba91c1606d3
SHA172c09b7789a4bac8fee41227d101daed8437edeb
SHA256f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA51205cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857
-
Filesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
Filesize
529B
MD55242530a2b65089696f3cf8e5ee02ff7
SHA1d604293148cdd953b3368c54920c043cffe9e1c1
SHA256239a1d9844ddbd0e650f8e5de69a2a40067106a79878fa4948a8039f1573b781
SHA5127aafe122d3b7b9d377f689a872c2306c3b04d5a8a7e4df69b65370e48356db416b5cacc6681a1f7315d0ad730fd12b651115a81bd4c880033e5ef89fa605c39a
-
Filesize
71KB
MD5899d3ed011eb58459b8a4fc2b81f0924
SHA180361f1e0b93143ec1ddfee156760f5938c85791
SHA2565e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05
-
Filesize
71KB
MD5899d3ed011eb58459b8a4fc2b81f0924
SHA180361f1e0b93143ec1ddfee156760f5938c85791
SHA2565e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954
SHA512802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05
-
Filesize
70B
MD5d90accebb3f79fe65cd938425c07b0ae
SHA19df3812a88d87dd419cd9e89afa5fb1d71be0dc9
SHA256aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e
SHA51244013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560
-
Filesize
265B
MD5ca906422a558f4bc9e471709f62ec1a9
SHA1e3da070007fdeae52779964df6f71fcb697ffb06
SHA256abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b
-
Filesize
107B
MD55cf0b95f68c3304427f858db1cdde895
SHA1a0c5c3872307e9497f8868b9b8b956b9736a9cdf
SHA256353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa
SHA5125c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b
-
Filesize
158B
MD5fe4eabc997c7a167e1fbeac9bac62c66
SHA1e5aa37e2a368dee352b6755947c0ee03bc565bd8
SHA256c1f7fdedad51c8b8e2c6597763eb043b571a82720879dd35ef8b4588ecf0c289
SHA51265ef77f64dd327c3d1e6b519618d111775cee709566e56207f5f92229964feb0b31d8a9eceb756127f39d25a5ecb8c4d1aaa5eb6a458d7cd038f77a0c0e3c9e3
-
Filesize
202B
MD562b1a9369933584e24a192f3053409f6
SHA1e4052be39d7b8d89530dfef33dabee261fd6c4ed
SHA2564538cc117753990aa22445580fb3cc0d2fd3ca4d27d0b98ed2a5b4be8e6e3a1b
SHA512b8fcf89f17933c332105aaae394d2954771f99342ec295ae7617b209e54c971c06d4c39e899abe68f618ed61fb07d3b794fbf29dc8838546fd74f97a6f41552b
-
Filesize
676B
MD5751ae76305422d9d886fdecfe0ee4507
SHA111235253cdcce52c566cfb6a47d556a884c45aff
SHA25655d58db029cb1d62dece14ba90803a552d1bdfcf4ea34f66e4d9f8b1d6b13cd8
SHA512a6bee99cbc516aa567b02a0f696a015cf77410f5fa0048cf34d84eb8ff2cf34d8a85ae17a484dd7fa3f397177406b414c69846c4f0b51bdcd755a323dbfa9b76
-
Filesize
5.9MB
MD584f0399f855ceff7bb020bca9c3bee1b
SHA14988dea4cf742dab85defdc89afe3ce092fc0a87
SHA256bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd
SHA51279c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6
-
Filesize
5.9MB
MD584f0399f855ceff7bb020bca9c3bee1b
SHA14988dea4cf742dab85defdc89afe3ce092fc0a87
SHA256bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd
SHA51279c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6
-
Filesize
293KB
MD57bb3828c90ffa74016c20224368bd2b5
SHA1f63228f3a89bea826c1d037c2a9f181dea34e2d4
SHA25653acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03
SHA512bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4
-
Filesize
293KB
MD57bb3828c90ffa74016c20224368bd2b5
SHA1f63228f3a89bea826c1d037c2a9f181dea34e2d4
SHA25653acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03
SHA512bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4
-
Filesize
6.3MB
MD5671fcb9a314f9edfb0b5367bf8c2a237
SHA1d394d5b923500848b28b1eda036a1be6118526b4
SHA25652c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910
SHA51210c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712
-
Filesize
6.3MB
MD5671fcb9a314f9edfb0b5367bf8c2a237
SHA1d394d5b923500848b28b1eda036a1be6118526b4
SHA25652c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910
SHA51210c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712
-
Filesize
18KB
MD5965dedfcd9f0a710b833ab55e46516cb
SHA125e03377de7902f58fb56674313e5463fbaa2131
SHA25698920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288
SHA512c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f
-
Filesize
18KB
MD5965dedfcd9f0a710b833ab55e46516cb
SHA125e03377de7902f58fb56674313e5463fbaa2131
SHA25698920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288
SHA512c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f
-
Filesize
18KB
MD5965dedfcd9f0a710b833ab55e46516cb
SHA125e03377de7902f58fb56674313e5463fbaa2131
SHA25698920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288
SHA512c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f
-
Filesize
5.9MB
MD584f0399f855ceff7bb020bca9c3bee1b
SHA14988dea4cf742dab85defdc89afe3ce092fc0a87
SHA256bfcf07ea2e027d038aadc5f9986b28f2f262ae845541946592d36c1c16a0c5fd
SHA51279c1698044afcde69938a7de67c24db5c0084e7a5f7a4f8a72203d150a2f783152aa5392c9df276374cd556b63508c32a218c989fe7e71aef1c077e39a97a7a6
-
Filesize
293KB
MD57bb3828c90ffa74016c20224368bd2b5
SHA1f63228f3a89bea826c1d037c2a9f181dea34e2d4
SHA25653acddd69e775049cd52ff66bf615a382548c2db2683726e79b14c1ddd9e4e03
SHA512bb86b536828b0e42f0f9fe22ce53bdff95aeb335716b2dc43dd36aead66695d9990030911515b6e604c142d50599a759d5b59c07d20d0d178ac29e0498f73fe4
-
Filesize
6.3MB
MD5671fcb9a314f9edfb0b5367bf8c2a237
SHA1d394d5b923500848b28b1eda036a1be6118526b4
SHA25652c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910
SHA51210c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712
-
Filesize
6.3MB
MD5671fcb9a314f9edfb0b5367bf8c2a237
SHA1d394d5b923500848b28b1eda036a1be6118526b4
SHA25652c914532d0997ad55f7ec16c17e81a303265a745f3b69dbddc088564a6ad910
SHA51210c2f57d5b6766841e248b9c63c5761240f417f0e7fcb1684c02116d9b97686a1d4c2d61382050e1049306ed139ea50ad65d034ddfc389920d2a2f6367f50712
-
Filesize
18KB
MD5965dedfcd9f0a710b833ab55e46516cb
SHA125e03377de7902f58fb56674313e5463fbaa2131
SHA25698920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288
SHA512c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f
-
Filesize
18KB
MD5965dedfcd9f0a710b833ab55e46516cb
SHA125e03377de7902f58fb56674313e5463fbaa2131
SHA25698920cd3d32ee2cf01fe1f6b42c3bc7779c1d679c56018d470a0a0e1eb2f3288
SHA512c0bbfbf5a4b41862166556aac69aefad9f8ded98b7d8d20960bb6bd8b0929fe563b7dcf4142009d95e8b204ff365f810b7d481d3d28fd8a0355c23290237925f
-
Filesize
512KB
-
Filesize
40KB
-
Filesize
9.0MB
-
Filesize
3.3MB
-
Filesize
192KB
-
Filesize
200KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
48KB
-
Filesize
648KB
-
Filesize
512KB
-
Filesize
704KB
-
Filesize
24KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
520KB