Analysis Overview
SHA256
3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c
Threat Level: Known bad
The file 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Executes dropped EXE
Checks computer location settings
UPX packed file
Loads dropped DLL
AutoIT Executable
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 02:49
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 02:49
Reported
2024-07-26 02:52
Platform
win7-20240708-en
Max time kernel
16s
Max time network
54s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1756 wrote to memory of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe |
| PID 1756 wrote to memory of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe |
| PID 1756 wrote to memory of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe |
| PID 1756 wrote to memory of 688 | N/A | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe
"C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe"
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -jjtrrkfmwixdfpql -1756
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.chip-secured-download.de | udp |
| DE | 116.203.169.158:80 | api.chip-secured-download.de | tcp |
| US | 8.8.8.8:53 | ocs1.chdi-server.de | udp |
| DE | 116.203.169.152:8080 | ocs1.chdi-server.de | tcp |
Files
memory/1756-0-0x0000000001250000-0x00000000014C6000-memory.dmp
\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
| MD5 | 1b81fa48134378f2b8d54a41fcfcf0ca |
| SHA1 | ff6fd97bcc603890c9bdffebe992a8b95d4f2686 |
| SHA256 | 5e2931d27098e63b67126ec2e036d8e2f4e46814d8c777c0307e3eec3b947707 |
| SHA512 | b0a9ae05da6e73729cf61ba7e58015630bd69c508fbfaa8cd6d9d116b63def1c67e7298680aa8d6d99f20d77e91dd14d880466ba21a1062498fdf3687518c8cf |
memory/688-16-0x000007FEF5743000-0x000007FEF5744000-memory.dmp
memory/688-17-0x00000000008D0000-0x0000000000932000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DMR\jjtrrkfmwixdfpql.dat
| MD5 | 8c934b48a05955c6cc934925f4c01e7d |
| SHA1 | b6300c8e23a440e85637a6e8f028ff25bee676d6 |
| SHA256 | 51be55dd44a7d2c782ef432971878a64040aec99c5ec0b53ac92d72bb2645992 |
| SHA512 | 199896d1482d91a24d896452b1a81b4c717a2781b0261aa7b32bd5fc38cdf84bf000d9487efa6bd799ae5b9b04019f5dd64bb174f5eec285d76aa9d8f3d1aa69 |
memory/688-19-0x000007FEF5740000-0x000007FEF612C000-memory.dmp
memory/688-20-0x000007FEF5740000-0x000007FEF612C000-memory.dmp
memory/688-21-0x000007FEF5740000-0x000007FEF612C000-memory.dmp
memory/688-22-0x000007FEF5740000-0x000007FEF612C000-memory.dmp
memory/1756-23-0x0000000001250000-0x00000000014C6000-memory.dmp
memory/688-24-0x000007FEF5740000-0x000007FEF612C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 02:49
Reported
2024-07-26 02:52
Platform
win10v2004-20240709-en
Max time kernel
137s
Max time network
128s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3408 wrote to memory of 3612 | N/A | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe |
| PID 3408 wrote to memory of 3612 | N/A | C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe
"C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe"
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -hzgbbjmtsxyfhqxc -3408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.chip-secured-download.de | udp |
| DE | 116.203.169.158:80 | api.chip-secured-download.de | tcp |
| US | 8.8.8.8:53 | 158.169.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocs1.chdi-server.de | udp |
| DE | 116.203.169.152:443 | ocs1.chdi-server.de | tcp |
| US | 8.8.8.8:53 | 152.169.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3408-0-0x0000000000220000-0x0000000000496000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
| MD5 | 1b81fa48134378f2b8d54a41fcfcf0ca |
| SHA1 | ff6fd97bcc603890c9bdffebe992a8b95d4f2686 |
| SHA256 | 5e2931d27098e63b67126ec2e036d8e2f4e46814d8c777c0307e3eec3b947707 |
| SHA512 | b0a9ae05da6e73729cf61ba7e58015630bd69c508fbfaa8cd6d9d116b63def1c67e7298680aa8d6d99f20d77e91dd14d880466ba21a1062498fdf3687518c8cf |
memory/3612-13-0x00007FFB49793000-0x00007FFB49795000-memory.dmp
memory/3612-14-0x0000000000830000-0x0000000000892000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DMR\hzgbbjmtsxyfhqxc.dat
| MD5 | 8c934b48a05955c6cc934925f4c01e7d |
| SHA1 | b6300c8e23a440e85637a6e8f028ff25bee676d6 |
| SHA256 | 51be55dd44a7d2c782ef432971878a64040aec99c5ec0b53ac92d72bb2645992 |
| SHA512 | 199896d1482d91a24d896452b1a81b4c717a2781b0261aa7b32bd5fc38cdf84bf000d9487efa6bd799ae5b9b04019f5dd64bb174f5eec285d76aa9d8f3d1aa69 |
memory/3612-16-0x00007FFB49790000-0x00007FFB4A251000-memory.dmp
memory/3612-17-0x00007FFB49790000-0x00007FFB4A251000-memory.dmp
memory/3612-18-0x00007FFB49790000-0x00007FFB4A251000-memory.dmp
memory/3612-19-0x00007FFB49790000-0x00007FFB4A251000-memory.dmp
memory/3408-20-0x0000000000220000-0x0000000000496000-memory.dmp
memory/3612-22-0x00007FFB49790000-0x00007FFB4A251000-memory.dmp