Resubmissions
03/08/2024, 22:30
240803-2evwbsxemn 1003/08/2024, 21:31
240803-1day4awcjj 1003/08/2024, 21:20
240803-z679mawaln 1003/08/2024, 21:04
240803-zwppjavfnp 1003/08/2024, 20:57
240803-zrnaxavepm 1003/08/2024, 20:27
240803-y8sfhsvanl 1009/12/2021, 20:37
211209-zeh6esfcfq 10Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
03/08/2024, 22:30
General
-
Target
FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
-
Size
988KB
-
MD5
afb30fed336e9b1e5e8ea5d941691b2a
-
SHA1
afeb330ea75da11608bc4f32d3490ed38cfd4c11
-
SHA256
16b4664969ce27b9914dc9d41b5baa16a341e00f442527efffd478a73a014fa1
-
SHA512
f509ae85f1e0cb7d1803f5d84f43cf58ec8363e816614b1668ae7ae5bbb86547ec507776022dcb9ba3bf776837e17e72816208bb2a8e790eef0c807131b6b27a
-
SSDEEP
24576:MAHnh+eWsN3skA4RV1Hom2KXMmHaYfNZ8tvDej5:rh+ZkldoPK8YaYlZ81q
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe"C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\gons.exeC:\Users\Admin\AppData\Roaming\Microsoft\gons.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exeC:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54B
MD5feff0ef7b1806ec99a169a9c65bf7d85
SHA1506370d143d605e5a1b2f8dcb28ff3d28d7f47bf
SHA25606c3fa449cae6477b6389f6c509574ab2eb909497b857c9944e91b3c049cefdd
SHA512e0e78ece6708b4021629ccfd421b0e941bd0369e82d7f82e6e0b104aad588f65c388231531b501b7d13b7884209fe25a96c71beaacb45c60bf20af8530bc7a05
-
Filesize
93KB
MD55596954c05b7854febf8fc86258ee259
SHA10f3cbe5382fbe23d0d4d425a9343339c20fe47d0
SHA256489360ed325274a369c234b382d29a8cbeb3827cb9e305b809fc286408af87d9
SHA5129ee9ef01aa832f31e5d41f22c6623046513dfb247838b749ae65eb7a8e71ccab31c38f41c33978c33ddf203511cab454a11ff0473237344663dd20da84d69f2e
-
Filesize
591KB
MD570ba9bb9b4a4a5c81b2c17f0110cef81
SHA175ce808554c4f79cb4d603fa500d7205cadffdc8
SHA256b2a46393e1234b2408ba71a338c7665119dcf57c8a2e7c9247c69b25943d3b11
SHA512a0d824e4ca56d1ea72a1cacf51b6267a452f21ecd8e2037ee401970491fe3aed9ec56f704d862f158899c158c7c0bf48ace610be854ccd00039b8f1c25ef262f
-
Filesize
616KB
-
Filesize
616KB
-
Filesize
616KB
-
Filesize
616KB
-
Filesize
4KB
-
Filesize
616KB
-
Filesize
616KB
-
Filesize
616KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
112KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
9.9MB
-
Filesize
616KB
-
Filesize
4KB