Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
27-03-2023 02:38
General
-
Target
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe
-
Size
136KB
-
MD5
b9d014296827c8d325ba1e1b0f4b2793
-
SHA1
8749106256cdca0d200f76728d0a873dd13c22e9
-
SHA256
ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
-
SHA512
6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
SSDEEP
3072:rssOu1QbkQzxsf9vIyqhSJTibjMJGEA1u4B+:rsslkkQMvqUibg8EEj+
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 11 IoCs
-
Drops startup file 7 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe"C:\Users\Admin\AppData\Local\Temp\ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dlkiqde8.cmdline"5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1BDC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1BDB.tmp"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Hello World!','Hello!',0,64)5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DvZwfRt.txtFilesize
87B
MD52a6ee4a9550faca67c3f52db9c36e52e
SHA1de5987bfbc5ac07bc85702f17981c144543609e7
SHA256e44b97a36d3b21761662ac9b751c5bfe3d335fba75314b33a2d0914f59065e19
SHA512d918830524cff5ba2afc681c9f12f7e91a8377e3c176ff66090a99339f1ecd8fe034d206772652c209e9d3b140592d05b5e86824f80c6af2785506dd8e618518
-
C:\Users\Admin\AppData\Local\Temp\DvZwfRt.txtFilesize
102B
MD53ea0daae067021cd90162c143f3a0f65
SHA10e68f67af02ea70c86344cab93545fc9e5d13ac4
SHA256692d995eb7fd8139fca7c470396de57a4e2216771944d76437eb88e41dba47db
SHA512c1d6460b1b603c1bcdc40edb707a0fe2bf85b86f8b23739b8610a6406ae170340407da040af5c254a51af0864491323d57961a2bd0dd023cadd74bf424d254c0
-
C:\Users\Admin\AppData\Local\Temp\RES1BDC.tmpFilesize
1KB
MD564eb56b382a91e20adbb05111abd4e10
SHA10ad92c09e5949c304c88ceea807434bd62d3c3fc
SHA256327fa648e663918b6341fe923f2a8841dc672d29e2a8b34c6c46901e3563a5b1
SHA5121bbbdec98793f62f45db142c97da99eb6c14c8cd52f7dcec6a3597c737031576f2091e1386ef2e385cd39354f5e2024d61cf997049a3c705526ed92e6df003b7
-
C:\Users\Admin\AppData\Local\Temp\dlkiqde8.0.vbFilesize
196B
MD5803499f1d5ca92d8ce1907b2821ece7b
SHA182203fef93304ac6e1fef0e8ec8246abeeb333e7
SHA2563c768cd5c2d854526a3fefbac61f33ecdb7b0165a559137d62b5bd810bbffee5
SHA5122ce8484bae3eb1df72bd57c9eaf9f33d85bac22bdfad87180b5ba6e52d2a3b39b3b29c0379052696ae2509dc9006422e508d7431264d6a067d564be3eee930f6
-
C:\Users\Admin\AppData\Local\Temp\dlkiqde8.cmdlineFilesize
194B
MD557bedad5ad87ef4c79a05280f7fbbd92
SHA1541bf300eae7a2e2e477491ff95b79bbf5ec888d
SHA25610c4086c2b8ad962fe4461648318087383fa243cfb0f64f121922be634566c83
SHA5122a2dec8b1a0b99a660daa03bbf11fde5ee4c58d567d76b1a6086c4114d70a6432dd67cef1b02ae1912349f6676cc97019267ec5cc2cef1d3b0ce5c87769424ec
-
C:\Users\Admin\AppData\Local\Temp\vbc1BDB.tmpFilesize
644B
MD523c5f6c5bb4e5de59ec5aa884ea098d3
SHA17240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83
SHA2567e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27
SHA512bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exeFilesize
136KB
MD5b9d014296827c8d325ba1e1b0f4b2793
SHA18749106256cdca0d200f76728d0a873dd13c22e9
SHA256ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f
SHA5126d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6
-
memory/592-142-0x0000000002380000-0x00000000023C0000-memory.dmpFilesize
256KB
-
memory/592-141-0x0000000002380000-0x00000000023C0000-memory.dmpFilesize
256KB
-
memory/696-71-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/696-69-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/696-76-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/696-77-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/696-81-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/696-84-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/696-70-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/696-72-0x0000000000080000-0x000000000008C000-memory.dmpFilesize
48KB
-
memory/924-85-0x00000000005C0000-0x0000000000600000-memory.dmpFilesize
256KB
-
memory/924-59-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/924-55-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/924-56-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/924-57-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/924-68-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/924-58-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/924-86-0x00000000005C0000-0x0000000000600000-memory.dmpFilesize
256KB
-
memory/924-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/924-62-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/924-65-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/932-114-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/932-112-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1372-116-0x00000000002C0000-0x0000000000300000-memory.dmpFilesize
256KB
-
memory/1372-115-0x00000000002C0000-0x0000000000300000-memory.dmpFilesize
256KB
-
memory/1372-103-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1372-100-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB