General
-
Target
The-MALWARE-Repo
-
Size
265KB
-
Sample
240228-tyjneagc5x
-
MD5
0198600239dd2b00d6ffea6c5d545b87
-
SHA1
114b32d6da0ebd11efb8bec44c3763a029c2a2c7
-
SHA256
7d7b9af864f7f91b5f6450674774e4cea687b65aa94906f127c96b550ff4fee9
-
SHA512
6e157729b6f4e271ad38a69f9e7bac3644352ef251f6d62e3604e2f62a8110e770c8c999cbc2b924a4a5156823700928c2bb3fd8949562b08b99824099ced2c5
-
SSDEEP
6144:pDuqJ6f10VSgE29xxspm0n1vuz3Fm9lvZJT3CqbMrhryfQNRPaCieMjAkvCJv1Vq:kf10VSgE29xxspm0n1vuz3g9lvZJT3C0
Static task
static1
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Extracted
C:\Users\Admin\Desktop\@Please_Read_Me@.txt
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
The-MALWARE-Repo
-
Size
265KB
-
MD5
0198600239dd2b00d6ffea6c5d545b87
-
SHA1
114b32d6da0ebd11efb8bec44c3763a029c2a2c7
-
SHA256
7d7b9af864f7f91b5f6450674774e4cea687b65aa94906f127c96b550ff4fee9
-
SHA512
6e157729b6f4e271ad38a69f9e7bac3644352ef251f6d62e3604e2f62a8110e770c8c999cbc2b924a4a5156823700928c2bb3fd8949562b08b99824099ced2c5
-
SSDEEP
6144:pDuqJ6f10VSgE29xxspm0n1vuz3Fm9lvZJT3CqbMrhryfQNRPaCieMjAkvCJv1Vq:kf10VSgE29xxspm0n1vuz3g9lvZJT3C0
-
Modifies WinLogon for persistence
-
RevengeRat Executable
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Modify Registry
4Indicator Removal
2File Deletion
2Hide Artifacts
2Hidden Files and Directories
2File and Directory Permissions Modification
1Scripting
1