Analysis
-
max time kernel
21s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-05-2023 14:30
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20230220-en
General
-
Target
Client.exe
-
Size
101KB
-
MD5
090f262b8a9b0787153b25d5f56b7ad2
-
SHA1
fde298860db49eb41a08434243a8259a01ca1043
-
SHA256
1d98a73f2a9fd2de42950b4b1c7f9de1cf7ec6d56523565675b51410274b9ab8
-
SHA512
ee2d19d95d92b0269f493a0666bd73b1e0ef6224f9773f41bde46515865c8e060bf6ce262c253ed64564bcc0137efebab2ee43e67700ba43a22002c07ad85572
-
SSDEEP
1536:uu+z/aQkPlpqNZoMoj58oZJbZseudD/FB3BINVRX3FjBqatD3tSYl9h:EMlpqNZoMS58oZJ9shx3BINZjH9SYl
Malware Config
Extracted
revengerat
Guest
127.0.0.1:333
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1724-54-0x00000000008D0000-0x00000000008EE000-memory.dmp revengerat behavioral1/memory/1724-55-0x0000000001FE0000-0x0000000002060000-memory.dmp revengerat -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
taskmgr.exepid process 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1464 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1724 Client.exe Token: SeDebugPrivilege 1464 taskmgr.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
taskmgr.exepid process 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe -
Suspicious use of SendNotifyMessage 27 IoCs
Processes:
taskmgr.exepid process 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe 1464 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1464-56-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1464-57-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1464-59-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/1464-60-0x0000000002070000-0x0000000002071000-memory.dmpFilesize
4KB
-
memory/1724-54-0x00000000008D0000-0x00000000008EE000-memory.dmpFilesize
120KB
-
memory/1724-55-0x0000000001FE0000-0x0000000002060000-memory.dmpFilesize
512KB
-
memory/1724-58-0x0000000001FE0000-0x0000000002060000-memory.dmpFilesize
512KB