Overview

overview

10

Static

static

5

FreeBitco....y).exe

windows7-x64

10

FreeBitco....y).exe

windows10-2004-x64

10

Resubmissions

03-08-2024 22:30

240803-2evwbsxemn 10

03-08-2024 21:31

240803-1day4awcjj 10

03-08-2024 21:20

240803-z679mawaln 10

03-08-2024 21:04

240803-zwppjavfnp 10

03-08-2024 20:57

240803-zrnaxavepm 10

03-08-2024 20:27

240803-y8sfhsvanl 10

09-12-2021 20:37

211209-zeh6esfcfq 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2024 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FreeBitco.in Next Roll Prediction (Trial 1 Day).exe

  • Size

    988KB

  • MD5

    afb30fed336e9b1e5e8ea5d941691b2a

  • SHA1

    afeb330ea75da11608bc4f32d3490ed38cfd4c11

  • SHA256

    16b4664969ce27b9914dc9d41b5baa16a341e00f442527efffd478a73a014fa1

  • SHA512

    f509ae85f1e0cb7d1803f5d84f43cf58ec8363e816614b1668ae7ae5bbb86547ec507776022dcb9ba3bf776837e17e72816208bb2a8e790eef0c807131b6b27a

  • SSDEEP

    24576:MAHnh+eWsN3skA4RV1Hom2KXMmHaYfNZ8tvDej5:rh+ZkldoPK8YaYlZ81q

Score
10/10
revengeratdiscoverypersistencestealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 2 IoCs
    stealer
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
    "C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4204
    • C:\Users\Admin\AppData\Roaming\Microsoft\gons.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\gons.exe
      2⤵
      • Executes dropped EXE
      PID:3108
    • C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4436
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hqqNLCGRF.txt
    Filesize

    54B

    MD5

    feff0ef7b1806ec99a169a9c65bf7d85

    SHA1

    506370d143d605e5a1b2f8dcb28ff3d28d7f47bf

    SHA256

    06c3fa449cae6477b6389f6c509574ab2eb909497b857c9944e91b3c049cefdd

    SHA512

    e0e78ece6708b4021629ccfd421b0e941bd0369e82d7f82e6e0b104aad588f65c388231531b501b7d13b7884209fe25a96c71beaacb45c60bf20af8530bc7a05

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\gons.exe
    Filesize

    93KB

    MD5

    5596954c05b7854febf8fc86258ee259

    SHA1

    0f3cbe5382fbe23d0d4d425a9343339c20fe47d0

    SHA256

    489360ed325274a369c234b382d29a8cbeb3827cb9e305b809fc286408af87d9

    SHA512

    9ee9ef01aa832f31e5d41f22c6623046513dfb247838b749ae65eb7a8e71ccab31c38f41c33978c33ddf203511cab454a11ff0473237344663dd20da84d69f2e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe
    Filesize

    591KB

    MD5

    70ba9bb9b4a4a5c81b2c17f0110cef81

    SHA1

    75ce808554c4f79cb4d603fa500d7205cadffdc8

    SHA256

    b2a46393e1234b2408ba71a338c7665119dcf57c8a2e7c9247c69b25943d3b11

    SHA512

    a0d824e4ca56d1ea72a1cacf51b6267a452f21ecd8e2037ee401970491fe3aed9ec56f704d862f158899c158c7c0bf48ace610be854ccd00039b8f1c25ef262f

    Download Submit
  • memory/1416-24-0x00007FFD999D0000-0x00007FFD9A491000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1416-18-0x00000000000F0000-0x000000000018A000-memory.dmp
    Filesize

    616KB

    Download
  • memory/1416-28-0x00007FFD999D0000-0x00007FFD9A491000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1416-20-0x00007FFD999D0000-0x00007FFD9A491000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1416-21-0x00007FFD999D0000-0x00007FFD9A491000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1416-23-0x0000000000920000-0x0000000000938000-memory.dmp
    Filesize

    96KB

    Download
  • memory/3108-25-0x00007FFD999D0000-0x00007FFD9A491000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3108-22-0x00007FFD999D0000-0x00007FFD9A491000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3108-19-0x0000000000C20000-0x0000000000C3C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/3108-17-0x00007FFD999D3000-0x00007FFD999D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4436-27-0x0000000000400000-0x000000000049A000-memory.dmp
    Filesize

    616KB

    Download
  • memory/4436-29-0x0000000005360000-0x00000000053FC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4436-30-0x00000000013E0000-0x00000000013F8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4436-31-0x0000000005B20000-0x00000000060C4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4436-32-0x00000000055E0000-0x0000000005646000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4464-33-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/4464-35-0x0000000001970000-0x000000000198A000-memory.dmp
    Filesize

    104KB

    Download