Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2023 15:58
Static task
static1
Behavioral task
behavioral1
Sample
15663f7481c8b2a19dbe62014fa8a948.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
15663f7481c8b2a19dbe62014fa8a948.exe
Resource
win10v2004-20230915-en
General
-
Target
15663f7481c8b2a19dbe62014fa8a948.exe
-
Size
85KB
-
MD5
15663f7481c8b2a19dbe62014fa8a948
-
SHA1
d5875cbdf0b84e14cef8cf1249bae06a3ab4f57b
-
SHA256
a96543da023e22eff83c1f152b980627a3efba8bd0d228171df6e4ac3b95ab89
-
SHA512
49883051f92e52094345e0b710754ce8445156ef9b20ad3cf0594a894615784b7b6240dfc2f5b0e915b5d5329163826988136921dd02a5e2d35fa60997c8820a
-
SSDEEP
1536:ER6XtX3eJG53G73mxdvd830Shhcqv/J+Kf/+9HIxCLsgmzU:o6t32GhNvWPhhco/J+Kn+9HIxCLsgmg
Malware Config
Extracted
revengerat
Test crypt
pplfoot1.ddns.net:1177
RV_MUTEX-wpnFwUnoWrUU
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral2/memory/5040-9-0x00000000084C0000-0x00000000084C8000-memory.dmp revengerat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation 15663f7481c8b2a19dbe62014fa8a948.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe 15663f7481c8b2a19dbe62014fa8a948.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe 15663f7481c8b2a19dbe62014fa8a948.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe chrome.exe -
Executes dropped EXE 1 IoCs
pid Process 228 chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 15663f7481c8b2a19dbe62014fa8a948.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 15663f7481c8b2a19dbe62014fa8a948.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 chrome.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 5040 15663f7481c8b2a19dbe62014fa8a948.exe Token: SeDebugPrivilege 228 chrome.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5040 wrote to memory of 228 5040 15663f7481c8b2a19dbe62014fa8a948.exe 85 PID 5040 wrote to memory of 228 5040 15663f7481c8b2a19dbe62014fa8a948.exe 85 PID 5040 wrote to memory of 228 5040 15663f7481c8b2a19dbe62014fa8a948.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\15663f7481c8b2a19dbe62014fa8a948.exe"C:\Users\Admin\AppData\Local\Temp\15663f7481c8b2a19dbe62014fa8a948.exe"1⤵
- Checks computer location settings
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrome.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
85KB
MD515663f7481c8b2a19dbe62014fa8a948
SHA1d5875cbdf0b84e14cef8cf1249bae06a3ab4f57b
SHA256a96543da023e22eff83c1f152b980627a3efba8bd0d228171df6e4ac3b95ab89
SHA51249883051f92e52094345e0b710754ce8445156ef9b20ad3cf0594a894615784b7b6240dfc2f5b0e915b5d5329163826988136921dd02a5e2d35fa60997c8820a
-
Filesize
85KB
MD515663f7481c8b2a19dbe62014fa8a948
SHA1d5875cbdf0b84e14cef8cf1249bae06a3ab4f57b
SHA256a96543da023e22eff83c1f152b980627a3efba8bd0d228171df6e4ac3b95ab89
SHA51249883051f92e52094345e0b710754ce8445156ef9b20ad3cf0594a894615784b7b6240dfc2f5b0e915b5d5329163826988136921dd02a5e2d35fa60997c8820a
-
Filesize
85KB
MD515663f7481c8b2a19dbe62014fa8a948
SHA1d5875cbdf0b84e14cef8cf1249bae06a3ab4f57b
SHA256a96543da023e22eff83c1f152b980627a3efba8bd0d228171df6e4ac3b95ab89
SHA51249883051f92e52094345e0b710754ce8445156ef9b20ad3cf0594a894615784b7b6240dfc2f5b0e915b5d5329163826988136921dd02a5e2d35fa60997c8820a