revengerat | 668b9ede64eeab5a2c9015f36b8c6956fa53635ff9ca9cfefb294fc71942f613

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 09:26

Target

998623a5dbfd495eb486914e66fe4070N.exe
Size

904KB
MD5

998623a5dbfd495eb486914e66fe4070
SHA1

6db112bb8c9d617b6dbd23ccfd411f9204e90af3
SHA256

668b9ede64eeab5a2c9015f36b8c6956fa53635ff9ca9cfefb294fc71942f613
SHA512

8ceb531914b054a7eee315d8cae9e3ecc08ec400ff7834a294268f28f0c3519c079e957dc98f43c2b3d7518dcd42d8e88091062c20512313de27caeea7c5c415
SSDEEP

24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHaKZa58:gh+ZkldoPK8YaKG8

Score

10^/10

Family

revengerat

Botnet

Marzo26

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Drops startup file 1 IoCs

Processes:

998623a5dbfd495eb486914e66fe4070N.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url	998623a5dbfd495eb486914e66fe4070N.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

998623a5dbfd495eb486914e66fe4070N.exe

description pid process target process

PID 2360 set thread context of 2980 2360 998623a5dbfd495eb486914e66fe4070N.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2980 RegAsm.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

998623a5dbfd495eb486914e66fe4070N.exe

pid process

2360 998623a5dbfd495eb486914e66fe4070N.exe
2360 998623a5dbfd495eb486914e66fe4070N.exe
2360 998623a5dbfd495eb486914e66fe4070N.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

998623a5dbfd495eb486914e66fe4070N.exe

pid process

2360 998623a5dbfd495eb486914e66fe4070N.exe
2360 998623a5dbfd495eb486914e66fe4070N.exe
2360 998623a5dbfd495eb486914e66fe4070N.exe

description	pid	process	target process
PID 2360 set thread context of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2980	RegAsm.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

998623a5dbfd495eb486914e66fe4070N.exe

description	pid	process	target process
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe
PID 2360 wrote to memory of 2980	2360	998623a5dbfd495eb486914e66fe4070N.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

memory/2360-0-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2980-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2980-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2980-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2980-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2980-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2980-9-0x0000000074942000-0x0000000074944000-memory.dmp

Filesize
8KB

Download