revengerat | 820547e17c9bfc76e4f129abbbe38c522f8d83abf2e22272d40858f820de52a8

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe
Size

903KB
MD5

2e6d57f9b1cb7c02c9bc7ce458679bb0
SHA1

aa0931224dbf841c6c71f9db5aee251a0f3854a5
SHA256

820547e17c9bfc76e4f129abbbe38c522f8d83abf2e22272d40858f820de52a8
SHA512

6ea82b42cc10136e0c5bdac97e7f7ea9e825561113fb8d77507c7edb9acdb59367c5b78e2e2a70f7b5bef88011ba7cbd05ad0fb6de323ab5ab86ade0ff00371c
SSDEEP

24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHaKZa5M:gh+ZkldoPK8YaKGM

Score

10^/10

revengerat marzo26 trojan

Malware Config

Extracted

Family

revengerat

Botnet

Marzo26

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe
2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe
2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe
2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe
2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30
PID 2200 wrote to memory of 2600	2200	2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe	30

C:\Users\Admin\AppData\Local\Temp\2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe
"C:\Users\Admin\AppData\Local\Temp\2e6d57f9b1cb7c02c9bc7ce458679bb0N.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-0-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2600-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2600-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2600-9-0x0000000074602000-0x0000000074604000-memory.dmp

Filesize
8KB

Download
memory/2600-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2600-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download