Overview

overview

10

Static

static

7

3a6e2de5b3...46.exe

windows7-x64

10

3a6e2de5b3...46.exe

windows10-2004-x64

10

Resubmissions

29-04-2024 10:45

240429-mtg6fsha6w 7

29-04-2024 10:42

240429-mr7nbsha31 7

27-04-2024 05:44

240427-gfdyzscd52 7

27-04-2024 05:43

240427-gepzvscd38 7

27-04-2024 05:42

240427-gd8qkscd33 7

27-04-2024 05:41

240427-gdf1kacc99 10

Analysis

  • max time kernel
    146s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 05:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

  • Size

    1.4MB

  • MD5

    5673c04d81969a6603184069b6846213

  • SHA1

    49fdd9c69f1c281d94486029dfaa5108dfc168bf

  • SHA256

    3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446

  • SHA512

    c381630f7c9c72ca538679bef37b9e966ec2f906bd5eb36a42069e3742ddd57bd958d867ede257edc3244e40fa3a6c65c10cddd07dddfd89cc2085eef13291cb

  • SSDEEP

    24576:rq5TfcdHj4fmb9Ve9u2qTPIMeYyBMLlQjzCEzKJ9TtLzCwn1jAh0zQJ9TtDRli:rUTsamC9uxKjY5x1jAF5i

Score
10/10
revengeratstealertrojanupx

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
    "C:\Users\Admin\AppData\Local\Temp\3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
      "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54417509 -chipderedesign -a80c61fa351a416282afb39d6c109d6c - -BLUB2 -ygxkxcekwtgcahqd -4036
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.chip.de/secured-installer-support/feedback?t=&cid=&pid=&pg=57656C636F6D65&data=26536574757049443D26436C69656E7449443D26436F6E74656E7449443D26506172746E657249443D26536F7572636549443D267374724F533D3635373237323646373232303639364532303637363537343530363137323631364436353734363537323733343636463732344437333637343236463738323833303239264455423D26737472416E746976697275733D36353732373236463732323036393645323036373635373435303631373236313644363537343635373237333436364637323444373336373432364637383238333132392665784D73673D353436383635323037323635364436463734363532303645363136443635323036333646373536433634323036453646373432303632363532303732363537333646364337363635363433413230323736313730363932453633363836393730324437333635363337353732363536343244363436463737364536433646363136343245363436353237264572726F72506C6163653D34373635373434383734373437303537363536323532363537313735363537333734
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffed41046f8,0x7ffed4104708,0x7ffed4104718
          4⤵
            PID:3952
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
            4⤵
              PID:3408
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3616
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
              4⤵
                PID:5024
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
                4⤵
                  PID:1364
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
                  4⤵
                    PID:3000
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
                    4⤵
                      PID:2344
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2260
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
                      4⤵
                        PID:4224
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
                        4⤵
                          PID:2020
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
                          4⤵
                            PID:3696
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
                            4⤵
                              PID:4176
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
                              4⤵
                                PID:2892
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
                                4⤵
                                  PID:2888
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:1
                                  4⤵
                                    PID:996
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
                                    4⤵
                                      PID:3220
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10270458193177802266,5323480579842923016,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4044 /prefetch:2
                                      4⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3772
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:516
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:2504

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    850f27f857369bf7fe83c613d2ec35cb

                                    SHA1

                                    7677a061c6fd2a030b44841bfb32da0abc1dbefb

                                    SHA256

                                    a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

                                    SHA512

                                    7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    62c02dda2bf22d702a9b3a1c547c5f6a

                                    SHA1

                                    8f42966df96bd2e8c1f6b31b37c9a19beb6394d6

                                    SHA256

                                    cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b

                                    SHA512

                                    a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    2e05ad2f81cb7e4ca187ebb0eb4f1b26

                                    SHA1

                                    9a993b83892a9d427495c1eb6353a162cfd3c39c

                                    SHA256

                                    120f566ea694f6a916b5a205e3d7d148d4877765f3359811525d623da7567128

                                    SHA512

                                    ef2b3d95851c9013e93f44d84b15de7a7dacee1f56dd6df04e485162514f8445de5cc3eb85eee3b4bbdfe307ae302a18ca6469303704ad3fbc28c558396b16a8

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    879a88fce264bf3f0f91fc3d776da658

                                    SHA1

                                    4971df3a73c513be56ea9e045f2758f9f0ab2d13

                                    SHA256

                                    0894a56753745f662a8e6e129a981dcb44ff8073a8c9996fc4bff0a98fb9f239

                                    SHA512

                                    f83338572dba2e6ab1e39acdb8eb170044b399045de4589ee4af3ea096eeed21cde23c9be2efe382597e227828eb1ea4671cb472d580710190f0cf63a01c09f7

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    8KB

                                    MD5

                                    53fc0f2b6083bf47f3d682ae7d7e25ee

                                    SHA1

                                    8db3fca2619afe024112ac52ccfa5d1a5047f16f

                                    SHA256

                                    971645a3756c0ffde51d5ddd114b845bcad9955293b1e872db8340565952e3f4

                                    SHA512

                                    cd6ae89eb4b479651df92091b8839fead7841722b0c74c9fa41dc3ae9e4f67c3e0df1414faccf72ad999eb2e3ebf6eee3a5256dfa860fa3e3a9f3ddc12a493e6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
                                    Filesize

                                    508KB

                                    MD5

                                    da9e9a98a7cf8da14f9e3c9973328fb7

                                    SHA1

                                    42e37cbfa37877d247ebd37d9553cb6224d6bee6

                                    SHA256

                                    c1116053bbac19ab273dc120c2984c235d116cdcc9e3ac437951b55465fd7063

                                    SHA512

                                    ce98f1984a3db301df7c1078dc6014fc1a03a1643c5635ef59775ee8019fbae4e07c16e99ec3d1998f45947d57493ada96e5116c359a590b14573833eec17343

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\DMR\ygxkxcekwtgcahqd.dat
                                    Filesize

                                    161B

                                    MD5

                                    c800879c1c73dbbb198fc42669646aa7

                                    SHA1

                                    ab63307099961d43ebb2b64809b7f39d030bab7b

                                    SHA256

                                    4c4dd62b579e43dc1c4cf859299df3023409492281f173bc5c3d2cc00bb782d7

                                    SHA512

                                    0bc20e0c61f46a6c8eb0d8c276edc1f1901ac2f2800199d78490ba0b3c096e4cbf08a175ee19f663d7c13d56e7b6852f32478ea6c85f7829f6fd2880023213df

                                    Download Submit

                                  • memory/4036-0-0x0000000000560000-0x000000000085D000-memory.dmp

                                    Filesize

                                    3.0MB

                                    Download

                                  • memory/4036-20-0x0000000000560000-0x000000000085D000-memory.dmp

                                    Filesize

                                    3.0MB

                                    Download

                                  • memory/4808-19-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/4808-29-0x00007FFEDAD10000-0x00007FFEDB7D1000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/4808-21-0x00007FFEDAD10000-0x00007FFEDB7D1000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/4808-17-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/4808-18-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/4808-16-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/4808-15-0x00007FFEDAD10000-0x00007FFEDB7D1000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/4808-13-0x00000000008F0000-0x0000000000974000-memory.dmp

                                    Filesize

                                    528KB

                                    Download