Overview

overview

10

Static

static

1

expressvpn...se.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    expressvpn_windows_12.55.0.27_release.exe

  • Size

    64.3MB

  • Sample

    230814-pxr6yaea5t

  • MD5

    01ea6bbb71d93bb90ff3eabddf487bd0

  • SHA1

    251cddc2dfebc6adca191ba2f11fff3a4fef8746

  • SHA256

    8644aab58a88f3490f6a1989b679d2e8a74309b8909d6fb4168470bc7023d0bc

  • SHA512

    fbaaf23bd4cc2bd238c0b4f6634e70e769ae30e2ce8ff67d34898a1fc24da264b4cc5afbd5f740970d5614c5e9d7407a7e6009f4e3728de9db19bf4af0ad9be6

  • SSDEEP

    1572864:Mo5GmwXDfmCP+zj1iXKDPn7XtJ+wK894oNHi/DmwSYJcuHnHJWLV:d0DeZhNDLtJi894YZgHa

Score
10/10
revengeratpersistencestealertrojan

Malware Config

Targets

    • Target

      expressvpn_windows_12.55.0.27_release.exe

    • Size

      64.3MB

    • MD5

      01ea6bbb71d93bb90ff3eabddf487bd0

    • SHA1

      251cddc2dfebc6adca191ba2f11fff3a4fef8746

    • SHA256

      8644aab58a88f3490f6a1989b679d2e8a74309b8909d6fb4168470bc7023d0bc

    • SHA512

      fbaaf23bd4cc2bd238c0b4f6634e70e769ae30e2ce8ff67d34898a1fc24da264b4cc5afbd5f740970d5614c5e9d7407a7e6009f4e3728de9db19bf4af0ad9be6

    • SSDEEP

      1572864:Mo5GmwXDfmCP+zj1iXKDPn7XtJ+wK894oNHi/DmwSYJcuHnHJWLV:d0DeZhNDLtJi894YZgHa

    Score
    10/10
    revengeratpersistencestealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks