revengerat | 27a4404a7f0e8fe3c82b6cd82886e0a8418e03bce4bb152c9d9cfe2b929f2125

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe
Size

951KB
MD5

44ef0d52e033d3e952b96545fa1a82a0
SHA1

6f91210721ad4cff0379c2e9fe88c8ed3943a9b9
SHA256

27a4404a7f0e8fe3c82b6cd82886e0a8418e03bce4bb152c9d9cfe2b929f2125
SHA512

e83f4ca6181fc48ad40aa5950edc59ca47068d1ebf33f644dfee6404bf5ba6f83358d37480f7b14830c37d5729fd9e3369c02c938000159d0e3956d5e62a9d5b
SSDEEP

24576:2AHnh+eWsN3skA4RV1HDm2KXMmHaKZT5I:Rh+ZkldDPK8YaKjI

Score

10^/10

revengerat marzo26 trojan

Malware Config

Extracted

Family

revengerat

Botnet

Marzo26

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2920-0-0x0000000000FB0000-0x00000000010A3000-memory.dmp	autoit_exe
behavioral1/memory/2920-14-0x0000000000FB0000-0x00000000010A3000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe
2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe
2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe
2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe
2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28
PID 2920 wrote to memory of 2376	2920	44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\44ef0d52e033d3e952b96545fa1a82a0_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2376-10-0x0000000073D52000-0x0000000073D54000-memory.dmp

Filesize
8KB

Download
memory/2920-0-0x0000000000FB0000-0x00000000010A3000-memory.dmp

Filesize
972KB

Download
memory/2920-1-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2920-14-0x0000000000FB0000-0x00000000010A3000-memory.dmp

Filesize
972KB

Download