revengerat | 2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5

Analysis

max time kernel
143s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
Size

902KB
MD5

3911ea7b9fdb0162a2179e8e7d67d0d6
SHA1

3b517d03f1f26678c48c4aa2d8b46c18bb585f01
SHA256

2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5
SHA512

e3db62a9bb236fe318088ff245c552830930a6b7250afd32a2a0c308574bfcba9516af4ade94430233c5f77aabc33032aa1418bc1270b33486ea0e166f86bec7
SSDEEP

24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHaKZa5H:gh+ZkldoPK8YaKGH

Score

10^/10

revengerat marzo26 trojan

Malware Config

Extracted

Family

revengerat

Botnet

Marzo26

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Drops startup file 1 IoCs

Processes:

2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe

description	pid	process	target process
PID 2200 set thread context of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3024 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3024	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe

pid	process
2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe

pid	process
2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe

description	pid	process	target process
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe
PID 2200 wrote to memory of 3024	2200	2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe
"C:\Users\Admin\AppData\Local\Temp\2ac4a5f9f25a67063595d6ed1f4970cf6150fa32861dadd762428d4f284696d5.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3024-1-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/3024-3-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/3024-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3024-8-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/3024-9-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/3024-10-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/3024-14-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download