Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 10:52
Static task
static1
Behavioral task
behavioral1
Sample
8b1de00abeb084a15946013cc17504f0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
8b1de00abeb084a15946013cc17504f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
8b1de00abeb084a15946013cc17504f0N.exe
-
Size
952KB
-
MD5
8b1de00abeb084a15946013cc17504f0
-
SHA1
cb4edbf03959be45d451faf284a152a4d8ba69d6
-
SHA256
5d5e5f128e329ac3daf766616f0bfe40459e7c1f54366cc271daf5323672b450
-
SHA512
77d997126fef66007311a14d934ead68494f2b188f4cb401e1fb961242877df6c646183f03ef34a554e929b7c7c1424c6b2d97e7dd7df539d9b41b666fa08b68
-
SSDEEP
24576:2AHnh+eWsN3skA4RV1HDm2KXMmHaKZT5t:Rh+ZkldDPK8YaKjt
Malware Config
Extracted
revengerat
Marzo26
marzorevenger.duckdns.org:4230
RV_MUTEX-PiGGjjtnxDpn
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Drops startup file 1 IoCs
Processes:
8b1de00abeb084a15946013cc17504f0N.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url 8b1de00abeb084a15946013cc17504f0N.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1972-0-0x0000000001190000-0x0000000001283000-memory.dmp autoit_exe behavioral1/memory/1972-14-0x0000000001190000-0x0000000001283000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8b1de00abeb084a15946013cc17504f0N.exedescription pid process target process PID 1972 set thread context of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8b1de00abeb084a15946013cc17504f0N.exeRegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8b1de00abeb084a15946013cc17504f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1200 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
8b1de00abeb084a15946013cc17504f0N.exepid process 1972 8b1de00abeb084a15946013cc17504f0N.exe 1972 8b1de00abeb084a15946013cc17504f0N.exe 1972 8b1de00abeb084a15946013cc17504f0N.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
8b1de00abeb084a15946013cc17504f0N.exepid process 1972 8b1de00abeb084a15946013cc17504f0N.exe 1972 8b1de00abeb084a15946013cc17504f0N.exe 1972 8b1de00abeb084a15946013cc17504f0N.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8b1de00abeb084a15946013cc17504f0N.exedescription pid process target process PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe PID 1972 wrote to memory of 1200 1972 8b1de00abeb084a15946013cc17504f0N.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b1de00abeb084a15946013cc17504f0N.exe"C:\Users\Admin\AppData\Local\Temp\8b1de00abeb084a15946013cc17504f0N.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1200-2-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1200-1-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1200-8-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1200-7-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1200-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1200-10-0x0000000074502000-0x0000000074504000-memory.dmpFilesize
8KB
-
memory/1972-0-0x0000000001190000-0x0000000001283000-memory.dmpFilesize
972KB
-
memory/1972-9-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/1972-14-0x0000000001190000-0x0000000001283000-memory.dmpFilesize
972KB