General
-
Target
expressvpn_windows_12.48.0.49_release.exe
-
Size
62.9MB
-
Sample
230504-fwz1qaaa57
-
MD5
3da6d5f929181cd21fec8185cdb0f4ec
-
SHA1
f7d23460dbbeb2006da63a8c4076ca24f6137b43
-
SHA256
18804904d6fd09134cf8cd5a275af545c91cac966b40eca59aab052ceae5fb10
-
SHA512
a8d0eae9dc9290dcb1d774aa8b7c6e98a411f9b87bb4dd7289cf5e77370532a5349c83cf6e9de11e5584379f669627d0b010f0c32bfc90b9d00ecaeedb0c1d57
-
SSDEEP
1572864:AJ9elNwYoLFrDW1VbxAy9EhbuyvOUip66RBmxKoIVFNkB+/YBCbm:Ayl+YmuPGy9E9DiU6RBUKoIVFN++/iCi
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_12.48.0.49_release.exe
Resource
win7-20230220-es
Behavioral task
behavioral2
Sample
expressvpn_windows_12.48.0.49_release.exe
Resource
win10v2004-20230220-es
Malware Config
Targets
-
-
Target
expressvpn_windows_12.48.0.49_release.exe
-
Size
62.9MB
-
MD5
3da6d5f929181cd21fec8185cdb0f4ec
-
SHA1
f7d23460dbbeb2006da63a8c4076ca24f6137b43
-
SHA256
18804904d6fd09134cf8cd5a275af545c91cac966b40eca59aab052ceae5fb10
-
SHA512
a8d0eae9dc9290dcb1d774aa8b7c6e98a411f9b87bb4dd7289cf5e77370532a5349c83cf6e9de11e5584379f669627d0b010f0c32bfc90b9d00ecaeedb0c1d57
-
SSDEEP
1572864:AJ9elNwYoLFrDW1VbxAy9EhbuyvOUip66RBmxKoIVFNkB+/YBCbm:Ayl+YmuPGy9E9DiU6RBUKoIVFN++/iCi
Score10/10-
RevengeRat Executable
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-