Overview

overview

10

Static

static

10

ea0c4df308...4f.exe

windows7-x64

10

ea0c4df308...4f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    89s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe

  • Size

    136KB

  • MD5

    b9d014296827c8d325ba1e1b0f4b2793

  • SHA1

    8749106256cdca0d200f76728d0a873dd13c22e9

  • SHA256

    ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f

  • SHA512

    6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6

  • SSDEEP

    3072:rssOu1QbkQzxsf9vIyqhSJTibjMJGEA1u4B+:rsslkkQMvqUibg8EEj+

Score
10/10
revengeratstealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 7 IoCs
    stealer
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe
    "C:\Users\Admin\AppData\Local\Temp\ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
        3⤵
          PID:4400
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4460
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
            4⤵
              PID:1752
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 200
                5⤵
                • Program crash
                PID:2732
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1752 -ip 1752
        1⤵
          PID:2812

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\aspnet_compiler.exe.log
          Filesize

          213B

          MD5

          542799505971e4b49beff1e58bfa61cb

          SHA1

          7a3939442a6a4f209fa8f5a6246eeb6d29621596

          SHA256

          af4e0cd2feb1b66da325e63c2b0f6245996c056b3707b8dd6b35b9f20b92c78c

          SHA512

          c07e2e000dd30566a394b171e0cf0927bc65c07b90825c688804f2b73ae1af70c30ed255a1ccc679a979dc4bd96bcb537ff69723aada4549fa81fe8657bc6a7d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\DvZwfRt.txt
          Filesize

          102B

          MD5

          3ea0daae067021cd90162c143f3a0f65

          SHA1

          0e68f67af02ea70c86344cab93545fc9e5d13ac4

          SHA256

          692d995eb7fd8139fca7c470396de57a4e2216771944d76437eb88e41dba47db

          SHA512

          c1d6460b1b603c1bcdc40edb707a0fe2bf85b86f8b23739b8610a6406ae170340407da040af5c254a51af0864491323d57961a2bd0dd023cadd74bf424d254c0

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
          Filesize

          136KB

          MD5

          b9d014296827c8d325ba1e1b0f4b2793

          SHA1

          8749106256cdca0d200f76728d0a873dd13c22e9

          SHA256

          ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f

          SHA512

          6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
          Filesize

          136KB

          MD5

          b9d014296827c8d325ba1e1b0f4b2793

          SHA1

          8749106256cdca0d200f76728d0a873dd13c22e9

          SHA256

          ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f

          SHA512

          6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
          Filesize

          136KB

          MD5

          b9d014296827c8d325ba1e1b0f4b2793

          SHA1

          8749106256cdca0d200f76728d0a873dd13c22e9

          SHA256

          ea0c4df308a6b31c6ec10f00a3bcda9c0f38ed382a753f848f14d5b6fa24b84f

          SHA512

          6d90d55a358568d1f4731c9bb99eea47777a7ce01db8f9fdc1ea38ffab72d06a2ae1d8d425e0a52ea546d790ee4ae9402748666d1bfbeb41f89c29fdace11fa6

          Download Submit
        • memory/1560-154-0x0000000001470000-0x0000000001480000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1560-136-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

          Download
        • memory/1560-137-0x0000000001470000-0x0000000001480000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1560-134-0x0000000000400000-0x0000000000428000-memory.dmp
          Filesize

          160KB

          Download
        • memory/1752-175-0x00000000001B0000-0x00000000001D8000-memory.dmp
          Filesize

          160KB

          Download
        • memory/1752-172-0x00000000001B0000-0x00000000001D8000-memory.dmp
          Filesize

          160KB

          Download
        • memory/4400-138-0x0000000000400000-0x000000000040C000-memory.dmp
          Filesize

          48KB

          Download
        • memory/4748-141-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-152-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-153-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-151-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-150-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-149-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-148-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-147-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-143-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4748-142-0x000002C0C7F40000-0x000002C0C7F41000-memory.dmp
          Filesize

          4KB

          Download