Overview

overview

10

Static

static

10

48e367e5b9...8f.zip

windows10-2004-x64

10

6cd0949a8e...3e.elf

windows10-2004-x64

3

Resubmissions

06-05-2023 10:17

230506-mbkhvsgg39 10

06-05-2023 01:56

230506-ccnlssfe48 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48e367e5b9db7478257fc4634694598f.bin

  • Size

    39KB

  • Sample

    230506-mbkhvsgg39

  • MD5

    35136a7a87b406bae6e5a36493fc254e

  • SHA1

    64dca99df91045fc89d91ac3587c6cb7c885ff7a

  • SHA256

    eb0668675cabaa17d3ccf8461ad1342a950504ed324eb80167f4c32fccac2fba

  • SHA512

    9e82e1515ab5782febcf630a957fb740a916fde53c5ac6c04b1fdf55386f0dd28ce15b9ff25b7c1d626bae05e3b11fad479f5463aa649d73d5fb27fbfbe4a289

  • SSDEEP

    768:JSmqeKyd941bdyJCuvL45TMl1oW6NQNLetnsyaFJd5r/ttWejazbStXfkJ:JS1aK6gu85T81ojQEhsfdlFhjQgfkJ

Score
10/10
mirairevengeratguestunstablebootkitdiscoveryexploitpersistencestealertrojanupx

Malware Config

Extracted

Family

mirai

Botnet

UNSTABLE

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:333

Mutex

RV_MUTEX

Targets

    • Target

      48e367e5b9db7478257fc4634694598f.bin

    • Size

      39KB

    • MD5

      35136a7a87b406bae6e5a36493fc254e

    • SHA1

      64dca99df91045fc89d91ac3587c6cb7c885ff7a

    • SHA256

      eb0668675cabaa17d3ccf8461ad1342a950504ed324eb80167f4c32fccac2fba

    • SHA512

      9e82e1515ab5782febcf630a957fb740a916fde53c5ac6c04b1fdf55386f0dd28ce15b9ff25b7c1d626bae05e3b11fad479f5463aa649d73d5fb27fbfbe4a289

    • SSDEEP

      768:JSmqeKyd941bdyJCuvL45TMl1oW6NQNLetnsyaFJd5r/ttWejazbStXfkJ:JS1aK6gu85T81ojQEhsfdlFhjQgfkJ

    Score
    10/10
    revengeratguestbootkitdiscoveryexploitpersistencestealertrojanupx

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1

    • Target

      6cd0949a8eff63d58b93198cd78407725c26bac36bdf32d107ea645427b1793e.elf

    • Size

      83KB

    • MD5

      48e367e5b9db7478257fc4634694598f

    • SHA1

      6b0a268621c37beb426cbd0cede1096d506f0249

    • SHA256

      6cd0949a8eff63d58b93198cd78407725c26bac36bdf32d107ea645427b1793e

    • SHA512

      faa89ab1b590e93186bf3f99f7174e72fb63b6c2dbfba87b925bb5405e207bcb4512aadb94fbf03f3369fc9ae59d17844734140f4783129d85295f7c0af95197

    • SSDEEP

      1536:989ZMhSciiTprs0MiJBRv4vK85El7feEf4nIwcJSx5:ciYi22QvUl7feaIcQ

    Score
    3/10
    behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

File Permissions Modification

1
T1222

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks