Resubmissions
03-08-2024 22:30
240803-2evwbsxemn 1003-08-2024 21:31
240803-1day4awcjj 1003-08-2024 21:20
240803-z679mawaln 1003-08-2024 21:04
240803-zwppjavfnp 1003-08-2024 20:57
240803-zrnaxavepm 1003-08-2024 20:27
240803-y8sfhsvanl 1009-12-2021 20:37
211209-zeh6esfcfq 10Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 21:31
Static task
static1
Behavioral task
behavioral1
Sample
FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
Resource
win10v2004-20240802-en
General
-
Target
FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
-
Size
988KB
-
MD5
afb30fed336e9b1e5e8ea5d941691b2a
-
SHA1
afeb330ea75da11608bc4f32d3490ed38cfd4c11
-
SHA256
16b4664969ce27b9914dc9d41b5baa16a341e00f442527efffd478a73a014fa1
-
SHA512
f509ae85f1e0cb7d1803f5d84f43cf58ec8363e816614b1668ae7ae5bbb86547ec507776022dcb9ba3bf776837e17e72816208bb2a8e790eef0c807131b6b27a
-
SSDEEP
24576:MAHnh+eWsN3skA4RV1Hom2KXMmHaYfNZ8tvDej5:rh+ZkldoPK8YaYlZ81q
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4116-23-0x0000000002B90000-0x0000000002BA8000-memory.dmp revengerat behavioral2/memory/4336-31-0x0000000001500000-0x0000000001518000-memory.dmp revengerat -
Executes dropped EXE 2 IoCs
Processes:
gons.exetemp5789e.exepid process 1404 gons.exe 4116 temp5789e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
InstallUtil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\temp5789e.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
temp5789e.exeInstallUtil.exedescription pid process target process PID 4116 set thread context of 4336 4116 temp5789e.exe InstallUtil.exe PID 4336 set thread context of 4488 4336 InstallUtil.exe InstallUtil.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
InstallUtil.exeInstallUtil.exeFreeBitco.in Next Roll Prediction (Trial 1 Day).exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FreeBitco.in Next Roll Prediction (Trial 1 Day).exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 InstallUtil.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
temp5789e.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 4116 temp5789e.exe Token: SeDebugPrivilege 4336 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
FreeBitco.in Next Roll Prediction (Trial 1 Day).exepid process 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
FreeBitco.in Next Roll Prediction (Trial 1 Day).exepid process 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
FreeBitco.in Next Roll Prediction (Trial 1 Day).exetemp5789e.exeInstallUtil.exedescription pid process target process PID 820 wrote to memory of 1404 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe gons.exe PID 820 wrote to memory of 1404 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe gons.exe PID 820 wrote to memory of 4116 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe temp5789e.exe PID 820 wrote to memory of 4116 820 FreeBitco.in Next Roll Prediction (Trial 1 Day).exe temp5789e.exe PID 4116 wrote to memory of 4336 4116 temp5789e.exe InstallUtil.exe PID 4116 wrote to memory of 4336 4116 temp5789e.exe InstallUtil.exe PID 4116 wrote to memory of 4336 4116 temp5789e.exe InstallUtil.exe PID 4116 wrote to memory of 4336 4116 temp5789e.exe InstallUtil.exe PID 4116 wrote to memory of 4336 4116 temp5789e.exe InstallUtil.exe PID 4116 wrote to memory of 4336 4116 temp5789e.exe InstallUtil.exe PID 4116 wrote to memory of 4336 4116 temp5789e.exe InstallUtil.exe PID 4116 wrote to memory of 4336 4116 temp5789e.exe InstallUtil.exe PID 4336 wrote to memory of 4488 4336 InstallUtil.exe InstallUtil.exe PID 4336 wrote to memory of 4488 4336 InstallUtil.exe InstallUtil.exe PID 4336 wrote to memory of 4488 4336 InstallUtil.exe InstallUtil.exe PID 4336 wrote to memory of 4488 4336 InstallUtil.exe InstallUtil.exe PID 4336 wrote to memory of 4488 4336 InstallUtil.exe InstallUtil.exe PID 4336 wrote to memory of 4488 4336 InstallUtil.exe InstallUtil.exe PID 4336 wrote to memory of 4488 4336 InstallUtil.exe InstallUtil.exe PID 4336 wrote to memory of 4488 4336 InstallUtil.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe"C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Roaming\Microsoft\gons.exeC:\Users\Admin\AppData\Roaming\Microsoft\gons.exe2⤵
- Executes dropped EXE
PID:1404 -
C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exeC:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5feff0ef7b1806ec99a169a9c65bf7d85
SHA1506370d143d605e5a1b2f8dcb28ff3d28d7f47bf
SHA25606c3fa449cae6477b6389f6c509574ab2eb909497b857c9944e91b3c049cefdd
SHA512e0e78ece6708b4021629ccfd421b0e941bd0369e82d7f82e6e0b104aad588f65c388231531b501b7d13b7884209fe25a96c71beaacb45c60bf20af8530bc7a05
-
Filesize
93KB
MD55596954c05b7854febf8fc86258ee259
SHA10f3cbe5382fbe23d0d4d425a9343339c20fe47d0
SHA256489360ed325274a369c234b382d29a8cbeb3827cb9e305b809fc286408af87d9
SHA5129ee9ef01aa832f31e5d41f22c6623046513dfb247838b749ae65eb7a8e71ccab31c38f41c33978c33ddf203511cab454a11ff0473237344663dd20da84d69f2e
-
Filesize
591KB
MD570ba9bb9b4a4a5c81b2c17f0110cef81
SHA175ce808554c4f79cb4d603fa500d7205cadffdc8
SHA256b2a46393e1234b2408ba71a338c7665119dcf57c8a2e7c9247c69b25943d3b11
SHA512a0d824e4ca56d1ea72a1cacf51b6267a452f21ecd8e2037ee401970491fe3aed9ec56f704d862f158899c158c7c0bf48ace610be854ccd00039b8f1c25ef262f