Resubmissions
22-03-2024 10:29
240322-mh85ssdc6s 10Analysis
-
max time kernel
87s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-03-2024 10:29
Behavioral task
behavioral1
Sample
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe
Resource
win10v2004-20231215-en
General
-
Target
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe
-
Size
1.1MB
-
MD5
56ac9e72644a8dae8c1968d63a26e58a
-
SHA1
d0349d04f33400541898426438d9e036d21decc5
-
SHA256
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c
-
SHA512
d4f5c176b3e4fda2a318fde3ec3702d9bf102bd752ee42b4549b9fd6630fdcbee20de63fc7a403f60768ac7c0a7d780bc542c8d60f4e2b9eeb19a40aba49ddc1
-
SSDEEP
24576:mq5TfcdHj4fmbi2q+0MmV0VMXeyrtoT1GokHTQoCwsC+Y:mUTsamOx9RoBVoCwT
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
dmr_72.exepid process 2580 dmr_72.exe -
Loads dropped DLL 4 IoCs
Processes:
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exepid process 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe -
Processes:
resource yara_rule behavioral1/memory/2380-0-0x0000000000D00000-0x0000000000F76000-memory.dmp upx behavioral1/memory/2380-24-0x0000000000D00000-0x0000000000F76000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2380-24-0x0000000000D00000-0x0000000000F76000-memory.dmp autoit_exe behavioral1/memory/2612-26-0x0000000140000000-0x00000001405E8000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
taskmgr.exepid process 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exetaskmgr.exepid process 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2612 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dmr_72.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2580 dmr_72.exe Token: SeDebugPrivilege 2612 taskmgr.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
Processes:
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exetaskmgr.exepid process 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exetaskmgr.exepid process 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe 2612 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
dmr_72.exepid process 2580 dmr_72.exe 2580 dmr_72.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exedescription pid process target process PID 2380 wrote to memory of 2580 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe dmr_72.exe PID 2380 wrote to memory of 2580 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe dmr_72.exe PID 2380 wrote to memory of 2580 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe dmr_72.exe PID 2380 wrote to memory of 2580 2380 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe dmr_72.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe"C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -zdbxzwwdaxmfojsx -23802⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DMR\zdbxzwwdaxmfojsx.datFilesize
163B
MD58c934b48a05955c6cc934925f4c01e7d
SHA1b6300c8e23a440e85637a6e8f028ff25bee676d6
SHA25651be55dd44a7d2c782ef432971878a64040aec99c5ec0b53ac92d72bb2645992
SHA512199896d1482d91a24d896452b1a81b4c717a2781b0261aa7b32bd5fc38cdf84bf000d9487efa6bd799ae5b9b04019f5dd64bb174f5eec285d76aa9d8f3d1aa69
-
\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exeFilesize
373KB
MD51b81fa48134378f2b8d54a41fcfcf0ca
SHA1ff6fd97bcc603890c9bdffebe992a8b95d4f2686
SHA2565e2931d27098e63b67126ec2e036d8e2f4e46814d8c777c0307e3eec3b947707
SHA512b0a9ae05da6e73729cf61ba7e58015630bd69c508fbfaa8cd6d9d116b63def1c67e7298680aa8d6d99f20d77e91dd14d880466ba21a1062498fdf3687518c8cf
-
memory/2380-24-0x0000000000D00000-0x0000000000F76000-memory.dmpFilesize
2.5MB
-
memory/2380-0-0x0000000000D00000-0x0000000000F76000-memory.dmpFilesize
2.5MB
-
memory/2580-22-0x000000001B140000-0x000000001B1C0000-memory.dmpFilesize
512KB
-
memory/2580-18-0x000000001B140000-0x000000001B1C0000-memory.dmpFilesize
512KB
-
memory/2580-20-0x000000001B140000-0x000000001B1C0000-memory.dmpFilesize
512KB
-
memory/2580-21-0x000000001B140000-0x000000001B1C0000-memory.dmpFilesize
512KB
-
memory/2580-17-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmpFilesize
9.9MB
-
memory/2580-23-0x000000001B140000-0x000000001B1C0000-memory.dmpFilesize
512KB
-
memory/2580-16-0x0000000001030000-0x0000000001092000-memory.dmpFilesize
392KB
-
memory/2580-25-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmpFilesize
9.9MB
-
memory/2612-26-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2612-27-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2612-28-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/2612-29-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB