General
-
Target
expressvpn_windows_12.49.0.4_release [pesktop.com].exe
-
Size
62.9MB
-
Sample
230628-hlzy3sge87
-
MD5
18533e6820766306144e432b9616ecbf
-
SHA1
ed5470f3b31853ac2fc80f4d1646db3b6cb09276
-
SHA256
6713695798164eeef13de43bffb24f47b82e58a68c12b92bcee41d45f864e931
-
SHA512
26f29dbf8f522ea909c477f2ded551dadf1626ed9707efc58759c8a8f8b17ebff0d0ea79feb6067db01c8983bd5c1ad7b9385b539574b868ca0d047b8cd3e4f0
-
SSDEEP
1572864:yJ+g8ROZq79HMryExyFbqDXA6kZ/EJLV5+LFQ1TJbezilwOb:yD8RO+BTbkw4J5+LFAwzub
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_12.49.0.4_release [pesktop.com].exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
expressvpn_windows_12.49.0.4_release [pesktop.com].exe
Resource
win10v2004-20230621-en
Malware Config
Targets
-
-
Target
expressvpn_windows_12.49.0.4_release [pesktop.com].exe
-
Size
62.9MB
-
MD5
18533e6820766306144e432b9616ecbf
-
SHA1
ed5470f3b31853ac2fc80f4d1646db3b6cb09276
-
SHA256
6713695798164eeef13de43bffb24f47b82e58a68c12b92bcee41d45f864e931
-
SHA512
26f29dbf8f522ea909c477f2ded551dadf1626ed9707efc58759c8a8f8b17ebff0d0ea79feb6067db01c8983bd5c1ad7b9385b539574b868ca0d047b8cd3e4f0
-
SSDEEP
1572864:yJ+g8ROZq79HMryExyFbqDXA6kZ/EJLV5+LFQ1TJbezilwOb:yD8RO+BTbkw4J5+LFAwzub
Score10/10-
RevengeRat Executable
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-