Overview

overview

10

Static

static

10

foto/deepw...34.exe

windows7-x64

10

foto/deepw...34.exe

windows10-2004-x64

10

foto/deepw...pg.lnk

windows7-x64

10

foto/deepw...pg.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c3022d2f513cd1c376fdb6b75d15a6e9

  • Size

    101KB

  • Sample

    240312-la9kxsdd7y

  • MD5

    c3022d2f513cd1c376fdb6b75d15a6e9

  • SHA1

    a1d78eec4448dee2d283ef1170f7394daf6e97b7

  • SHA256

    a45f7b053c2f9ba19e62a3b4f448153e64f06646569f961e157ce920b7591ce1

  • SHA512

    99d9d884b94a684597610337f77f87983d59b72ca38799060ebf1d0d63a91142334de5863ca39216fc687fecada209fb2fd24657bd82ff29c101cf30115b3a0f

  • SSDEEP

    1536:OviK2TjkKgSW6cSfMyiBvLjxqxoFK92g5Nu3RKV7DYew+LnrY0bal2jlEKrZwU6:OIB68c1LdqxoFKkRKhDvw+Ln/BlEywU6

Score
10/10
revengeratpersistencestealertrojan

Malware Config

Targets

    • Target

      foto/deepweb1084982034.exe

    • Size

      257KB

    • MD5

      4ab7225bafe90aa3fcb8ed77cbdf114d

    • SHA1

      4e33f6c3f0c94ac80043cf59619cbf71cfbc099f

    • SHA256

      3b8e6f9533bd89fc96502cf5fb579afeac2b78015e4fe07ea2f1a17331b1d0fc

    • SHA512

      3ba0c020cf63bf06ffd3e9e3dcb59aa77aac4ede926da3f40d8329c886670237dc1dc8bf7ec2eac8f0b932addf686224368cf4b7cd87aac445dd3eb0d9b56043

    • SSDEEP

      3072:tUp1/p/QFAWZkKKcL8uaLvUNGrTwkYNRMz49+:tUp1/p5KdYLvU0wkICzi+

    Score
    10/10
    revengeratpersistencestealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

    • Target

      foto/deepweb1084982034.jpg.lnk

    • Size

      2KB

    • MD5

      80c226fbf56b69c10f25c695543b4de1

    • SHA1

      f597c700a48d8d5c0524b281154f044c042a96a1

    • SHA256

      5f593437fd1d396bec00e1196c163091ae1b4ef277a684398a5bc0783cd8d8f6

    • SHA512

      7568928410abf9f2dd3570bce854d2d370c44ffc233fd89f0f98793549bebc0a2b0a515517834b60105e2ec2d6d592690c63cd515f0939cd94d66c617e614397

    Score
    10/10
    revengeratpersistencestealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

2
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks