General
-
Target
expressvpn_windows_12.38.0.60_release.exe
-
Size
57.9MB
-
Sample
230615-p2sm9sha28
-
MD5
c2f43c3bd04b18b42538f21d5c35769c
-
SHA1
c82bd94359c17d96d7e6195fb3350e5944747fa0
-
SHA256
6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060
-
SHA512
e220f439900da7058b430e0ee98eaf92b7063143071026ddb1234f1800978c4a3a4ca55252811d45ef8339a5cddcbd2a1f5deeb7036c8b23f4f09f207a6bf6a4
-
SSDEEP
1572864:dKaNvbJ8xod7dyy6KsEcOEhn8Oi2dLLflzBfaAThAz80FcaTT2uqGN:dKYCxod7dDHHUVvdL7LSTSgT2uT
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_12.38.0.60_release.exe
Resource
win10v2004-20230220-en
Malware Config
Targets
-
-
Target
expressvpn_windows_12.38.0.60_release.exe
-
Size
57.9MB
-
MD5
c2f43c3bd04b18b42538f21d5c35769c
-
SHA1
c82bd94359c17d96d7e6195fb3350e5944747fa0
-
SHA256
6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060
-
SHA512
e220f439900da7058b430e0ee98eaf92b7063143071026ddb1234f1800978c4a3a4ca55252811d45ef8339a5cddcbd2a1f5deeb7036c8b23f4f09f207a6bf6a4
-
SSDEEP
1572864:dKaNvbJ8xod7dyy6KsEcOEhn8Oi2dLLflzBfaAThAz80FcaTT2uqGN:dKYCxod7dDHHUVvdL7LSTSgT2uT
-
RevengeRat Executable
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Sets file execution options in registry
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-