revengerat | 48d3f34a87180d7b45c21075a1eac7cbe09062cf773aebeb00c556143546a330 | Triage

Sharing

General

Target

4cea2fc03045e100ac67b032edcf4c3b_JaffaCakes118
Size

2.0MB
Sample

240516-zc5awafc52
MD5

4cea2fc03045e100ac67b032edcf4c3b
SHA1

88799fd58a5b856466047ca6b4cfa56a41f0ed58
SHA256

48d3f34a87180d7b45c21075a1eac7cbe09062cf773aebeb00c556143546a330
SHA512

f899a8bf0553b5d7a06e2c81a0562c4c5975550dc4879372e398a9e47df4406d63a7ff4a801491039944b7c6b44630aa7935fefc9220798e96631d9ea74f7ee0
SSDEEP

49152:NVO+2fV5tBCJBNuVZNVyUk0jpj7Km8swWX8skbQREVr/+LT4n3+M9:e+2ff8BN+NyUNKkhREdX3p9

Score

10^/10

revengerat microsoft .net framework servcies persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Microsoft .Net Framework Servcies

C2

uogapk3.ddns.net:2222

uogapk4.ddns.net:2222

uogapk5.ddns.net:2222

uogapk6.ddns.net:2222

uogapk7.ddns.net:2222

uogapk8.ddns.net:2222

uogapk9.ddns.net:2222

uogapk10.ddns.net:2222

uogapk11.ddns.net:2222

uogapk12.ddns.net:2222

uogapk13.ddns.net:2222

uogapk14.ddns.net:2222

uogapk15.ddns.net:2222

uogapk16.ddns.net:2222

uogapk17.ddns.net:2222

uogapk18.ddns.net:2222

uogapk19.ddns.net:2222

uogapk20.ddns.net:2222

uogapk21.ddns.net:2222

uogapk22.ddns.net:2222

Mutex

RV_MUTEX-cdhKbhoxlCIvg

Targets

- Target
  
  All-in-One Checker/All-in-One Checker.exe
- Size
  
  1.6MB
- MD5
  
  ac75a2a8f6c389474016245df20b9534
- SHA1
  
  47db5f6215d6c4817b6508db94123764fd4acc0d
- SHA256
  
  e6b4c080dde0b5fa4291070e60a9fc779ef03c198ec4f99150c454a29534dccf
- SHA512
  
  ee5d52d49fefbbb660e1a924861c5b88717a81889383852e047c4fbcace4b0313a8096792f02bc1fc2758160d6551a61cfb7bc0e8c341118ee6d46c059997201
- SSDEEP
  
  49152:ZIxhRNN2eNLk00huhmNF7XcJ45sfgrXRSa:eRJo0Wu8NFZ5sfgrga
Score

10^/10

revengerat microsoft .net framework servcies persistence stealer trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- RevengeRat Executable
  stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

revengeratmicrosoft .net framework servciespersistencestealertrojan

behavioral2

revengeratmicrosoft .net framework servciespersistencestealertrojan