Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-03-2024 20:07
Static task
static1
Behavioral task
behavioral1
Sample
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
Resource
win10v2004-20240226-en
General
-
Target
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
-
Size
902KB
-
MD5
3911ea7b9fdb0162a2179e8e7d67d0d6
-
SHA1
3b517d03f1f26678c48c4aa2d8b46c18bb585f01
-
SHA256
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5
-
SHA512
e3db62a9bb236fe318088ff245c552830930a6b7250afd32a2a0c308574bfcba9516af4ade94430233c5f77aabc33032aa1418bc1270b33486ea0e166f86bec7
-
SSDEEP
24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHaKZa5H:gh+ZkldoPK8YaKGH
Malware Config
Extracted
revengerat
Marzo26
marzorevenger.duckdns.org:4230
RV_MUTEX-PiGGjjtnxDpn
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Drops startup file 1 IoCs
Processes:
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exedescription pid process target process PID 2200 set thread context of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3024 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exepid process 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exepid process 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exedescription pid process target process PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe PID 2200 wrote to memory of 3024 2200 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe"C:\Users\Admin\AppData\Local\Temp\2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2200-0-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/3024-1-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/3024-3-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/3024-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3024-8-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/3024-9-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/3024-10-0x0000000073D80000-0x000000007432B000-memory.dmpFilesize
5.7MB
-
memory/3024-14-0x0000000073D80000-0x000000007432B000-memory.dmpFilesize
5.7MB