Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 03:31
Static task
static1
Behavioral task
behavioral1
Sample
3d41513a6735c15a89e83be9108139c0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3d41513a6735c15a89e83be9108139c0N.exe
Resource
win10v2004-20240709-en
General
-
Target
3d41513a6735c15a89e83be9108139c0N.exe
-
Size
951KB
-
MD5
3d41513a6735c15a89e83be9108139c0
-
SHA1
35af4a7fa36cbb14ebb740e55959e66a8facf4ba
-
SHA256
9d451b023aaac2a3ceb24cdadb5fb9f8c6b51ce803304805ca37e560e083e1c6
-
SHA512
722d3bc819f40aeb0653ecd31d5947551b39a56d965a9e7a136825122cd72870ec44e44dc933401b988c1864dd6e6d96862a12fb02ddaeca7868d49bfc71f3ee
-
SSDEEP
24576:2AHnh+eWsN3skA4RV1HDm2KXMmHaKZT5w:Rh+ZkldDPK8YaKjw
Malware Config
Extracted
revengerat
Marzo26
marzorevenger.duckdns.org:4230
RV_MUTEX-PiGGjjtnxDpn
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url 3d41513a6735c15a89e83be9108139c0N.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4000-0-0x00000000005B0000-0x00000000006A3000-memory.dmp autoit_exe behavioral2/memory/4000-12-0x00000000005B0000-0x00000000006A3000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4000 set thread context of 1008 4000 3d41513a6735c15a89e83be9108139c0N.exe 86 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1008 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4000 3d41513a6735c15a89e83be9108139c0N.exe 4000 3d41513a6735c15a89e83be9108139c0N.exe 4000 3d41513a6735c15a89e83be9108139c0N.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4000 3d41513a6735c15a89e83be9108139c0N.exe 4000 3d41513a6735c15a89e83be9108139c0N.exe 4000 3d41513a6735c15a89e83be9108139c0N.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4000 wrote to memory of 1008 4000 3d41513a6735c15a89e83be9108139c0N.exe 86 PID 4000 wrote to memory of 1008 4000 3d41513a6735c15a89e83be9108139c0N.exe 86 PID 4000 wrote to memory of 1008 4000 3d41513a6735c15a89e83be9108139c0N.exe 86 PID 4000 wrote to memory of 1008 4000 3d41513a6735c15a89e83be9108139c0N.exe 86 PID 4000 wrote to memory of 1008 4000 3d41513a6735c15a89e83be9108139c0N.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d41513a6735c15a89e83be9108139c0N.exe"C:\Users\Admin\AppData\Local\Temp\3d41513a6735c15a89e83be9108139c0N.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008
-