revengerat | 3fcab0addd17f497cf4a7bd90ca5797520a26d98d8fd87b3df5f539cf8cf41bb | Triage

Submit
Reports

Overview

overview

Static

static

1

6122d96e83...18.rtf

windows7-x64

6122d96e83...18.rtf

windows10-2004-x64

Sharing

General

Target

6122d96e83f0c0dad6d1ed8ab22c60b3_JaffaCakes118
Size

429KB
Sample

240729-z82jvs1dpr
MD5

6122d96e83f0c0dad6d1ed8ab22c60b3
SHA1

1c9fb09da9a5673b2c821657d1d50440eac79ed6
SHA256

3fcab0addd17f497cf4a7bd90ca5797520a26d98d8fd87b3df5f539cf8cf41bb
SHA512

943086f85de1d466dffb9e9ce1b4ae4ec18139373a4be92fcbc5e91b3e9edb38fbbcc5b3d9c1522af124870f1db9e750f52b2acc9093c4dde518fc9f2de86560
SSDEEP

3072:qxmwANc/nIwANc/nbwANc/nUwANc/nTwANc/nYwANc/ntwANc/n19F:sA29A2cA2ZA20A2NA2+A2nF

Score

10^/10

revengerat vjw0rm kerolyn s2 discovery execution stealer trojan worm

Static task

static1

Behavioral task

behavioral1

Sample

6122d96e83f0c0dad6d1ed8ab22c60b3_JaffaCakes118.rtf

Resource

win7-20240704-en

revengerat vjw0rm kerolyn s2 discovery execution stealer trojan worm

windows7-x64

24 signatures

150 seconds

Behavioral task

behavioral2

Sample

6122d96e83f0c0dad6d1ed8ab22c60b3_JaffaCakes118.rtf

Resource

win10v2004-20240709-en

revengerat vjw0rm kerolyn s2 discovery execution stealer trojan worm

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://storage.googleapis.com/wzukusers/user-34654398/documents/5c8fcdc868cf8Nau4eqD/2019

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://storage.googleapis.com/wzukusers/user-34654398/documents/5c8fc8d91e717XQDt0y4/ServidorFUDIGOR

Extracted

Family

revengerat

Botnet

KEROLYN S2

C2

bozok1.duckdns.org:333

Mutex

RV_MUTEX-iNSnIELecwCkj

Targets

- Target
  
  6122d96e83f0c0dad6d1ed8ab22c60b3_JaffaCakes118
- Size
  
  429KB
- MD5
  
  6122d96e83f0c0dad6d1ed8ab22c60b3
- SHA1
  
  1c9fb09da9a5673b2c821657d1d50440eac79ed6
- SHA256
  
  3fcab0addd17f497cf4a7bd90ca5797520a26d98d8fd87b3df5f539cf8cf41bb
- SHA512
  
  943086f85de1d466dffb9e9ce1b4ae4ec18139373a4be92fcbc5e91b3e9edb38fbbcc5b3d9c1522af124870f1db9e750f52b2acc9093c4dde518fc9f2de86560
- SSDEEP
  
  3072:qxmwANc/nIwANc/nbwANc/nUwANc/nTwANc/nYwANc/ntwANc/n19F:sA29A2cA2ZA20A2NA2+A2nF
Score

10^/10

revengerat vjw0rm kerolyn s2 discovery execution stealer trojan worm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- RevengeRat Executable
  stealer
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

JavaScript

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

revengeratvjw0rmkerolyn s2discoveryexecutionstealertrojanworm

behavioral2

revengeratvjw0rmkerolyn s2discoveryexecutionstealertrojanworm

© 2018-2024

Terms | Privacy