Analysis
-
max time kernel
35s -
max time network
38s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-07-2024 20:51
Behavioral task
behavioral1
Sample
Client.exe
Resource
win11-20240709-en
General
-
Target
Client.exe
-
Size
5.0MB
-
MD5
6663483929f325b3fe2f8a351787aebf
-
SHA1
eaef70212f2f361a3167340d7c76e07246f1e427
-
SHA256
cb9bb33d33ae493a7616a62cae19fb7c127c596a834543e78735e894d4225f42
-
SHA512
12d51bd6328fd6a7572c97fdd3ac7b5d74dfd1379d5553f890af6c5a2effa65c61ecb78588fddac239881391ed9e2831f65a6f70e83a7047b980bcd4cb501eb9
-
SSDEEP
3072:iEQ5B9LypBTl57/zzTx+feymDt9SYzOP+:iupBvLzTIf4Df7zOP+
Malware Config
Extracted
revengerat
Guest
0.tcp.eu.ngrok.io:8848
RV_MUTEX
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
Client.exeRegSvcs.exedescription pid process target process PID 5104 set thread context of 1956 5104 Client.exe RegSvcs.exe PID 1956 set thread context of 3676 1956 RegSvcs.exe RegSvcs.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RegSvcs.exeRegSvcs.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Client.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 5104 Client.exe Token: SeDebugPrivilege 1956 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Client.exeRegSvcs.exedescription pid process target process PID 5104 wrote to memory of 1956 5104 Client.exe RegSvcs.exe PID 5104 wrote to memory of 1956 5104 Client.exe RegSvcs.exe PID 5104 wrote to memory of 1956 5104 Client.exe RegSvcs.exe PID 5104 wrote to memory of 1956 5104 Client.exe RegSvcs.exe PID 5104 wrote to memory of 1956 5104 Client.exe RegSvcs.exe PID 5104 wrote to memory of 1956 5104 Client.exe RegSvcs.exe PID 5104 wrote to memory of 1956 5104 Client.exe RegSvcs.exe PID 5104 wrote to memory of 1956 5104 Client.exe RegSvcs.exe PID 1956 wrote to memory of 3676 1956 RegSvcs.exe RegSvcs.exe PID 1956 wrote to memory of 3676 1956 RegSvcs.exe RegSvcs.exe PID 1956 wrote to memory of 3676 1956 RegSvcs.exe RegSvcs.exe PID 1956 wrote to memory of 3676 1956 RegSvcs.exe RegSvcs.exe PID 1956 wrote to memory of 3676 1956 RegSvcs.exe RegSvcs.exe PID 1956 wrote to memory of 3676 1956 RegSvcs.exe RegSvcs.exe PID 1956 wrote to memory of 3676 1956 RegSvcs.exe RegSvcs.exe PID 1956 wrote to memory of 3676 1956 RegSvcs.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3676
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2660
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44B
MD5bfbee1ccbe6981fafb1c7bff99680882
SHA13866c915b8a7e0592f8728c89faf6bb4d5ecf002
SHA25674976c31c2c46d066f3d9a70fc73b3a7dd541d5a889a6644a59f09b53960a235
SHA5126bb98708f97b426a6ef445681a9169671d084f1a876e6ff07b8c595add8f996509d5e003a04b1d58ca10332285df2686bec4e6b470f6b3f8a19e15be256dbd2e