Resubmissions

03-08-2024 22:30

240803-2evwbsxemn 10

03-08-2024 21:31

240803-1day4awcjj 10

03-08-2024 21:20

240803-z679mawaln 10

03-08-2024 21:04

240803-zwppjavfnp 10

03-08-2024 20:57

240803-zrnaxavepm 10

03-08-2024 20:27

240803-y8sfhsvanl 10

09-12-2021 20:37

211209-zeh6esfcfq 10

Analysis

  • max time kernel
    269s
  • max time network
    270s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 20:57

General

  • Target

    FreeBitco.in Next Roll Prediction (Trial 1 Day).exe

  • Size

    988KB

  • MD5

    afb30fed336e9b1e5e8ea5d941691b2a

  • SHA1

    afeb330ea75da11608bc4f32d3490ed38cfd4c11

  • SHA256

    16b4664969ce27b9914dc9d41b5baa16a341e00f442527efffd478a73a014fa1

  • SHA512

    f509ae85f1e0cb7d1803f5d84f43cf58ec8363e816614b1668ae7ae5bbb86547ec507776022dcb9ba3bf776837e17e72816208bb2a8e790eef0c807131b6b27a

  • SSDEEP

    24576:MAHnh+eWsN3skA4RV1Hom2KXMmHaYfNZ8tvDej5:rh+ZkldoPK8YaYlZ81q

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • RevengeRat Executable 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
    "C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Users\Admin\AppData\Roaming\Microsoft\gons.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\gons.exe
      2⤵
      • Executes dropped EXE
      PID:2652
    • C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hqqNLCGRF.txt

    Filesize

    54B

    MD5

    feff0ef7b1806ec99a169a9c65bf7d85

    SHA1

    506370d143d605e5a1b2f8dcb28ff3d28d7f47bf

    SHA256

    06c3fa449cae6477b6389f6c509574ab2eb909497b857c9944e91b3c049cefdd

    SHA512

    e0e78ece6708b4021629ccfd421b0e941bd0369e82d7f82e6e0b104aad588f65c388231531b501b7d13b7884209fe25a96c71beaacb45c60bf20af8530bc7a05

  • \Users\Admin\AppData\Roaming\Microsoft\gons.exe

    Filesize

    93KB

    MD5

    5596954c05b7854febf8fc86258ee259

    SHA1

    0f3cbe5382fbe23d0d4d425a9343339c20fe47d0

    SHA256

    489360ed325274a369c234b382d29a8cbeb3827cb9e305b809fc286408af87d9

    SHA512

    9ee9ef01aa832f31e5d41f22c6623046513dfb247838b749ae65eb7a8e71ccab31c38f41c33978c33ddf203511cab454a11ff0473237344663dd20da84d69f2e

  • \Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe

    Filesize

    591KB

    MD5

    70ba9bb9b4a4a5c81b2c17f0110cef81

    SHA1

    75ce808554c4f79cb4d603fa500d7205cadffdc8

    SHA256

    b2a46393e1234b2408ba71a338c7665119dcf57c8a2e7c9247c69b25943d3b11

    SHA512

    a0d824e4ca56d1ea72a1cacf51b6267a452f21ecd8e2037ee401970491fe3aed9ec56f704d862f158899c158c7c0bf48ace610be854ccd00039b8f1c25ef262f

  • memory/1944-32-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

  • memory/1944-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1944-41-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

  • memory/1944-42-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

  • memory/1944-38-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

  • memory/1944-43-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

  • memory/1944-34-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

  • memory/1944-36-0x0000000000400000-0x000000000049A000-memory.dmp

    Filesize

    616KB

  • memory/1944-45-0x00000000002A0000-0x00000000002B8000-memory.dmp

    Filesize

    96KB

  • memory/2396-52-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2396-55-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2396-57-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2396-58-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2396-46-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2396-50-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2396-48-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/2652-25-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2652-30-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2652-27-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2652-24-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2652-22-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2652-20-0x00000000003B0000-0x00000000003CC000-memory.dmp

    Filesize

    112KB

  • memory/2832-44-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2832-29-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2832-28-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

    Filesize

    4KB

  • memory/2832-26-0x0000000000260000-0x0000000000278000-memory.dmp

    Filesize

    96KB

  • memory/2832-23-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

    Filesize

    9.9MB

  • memory/2832-21-0x0000000000EB0000-0x0000000000F4A000-memory.dmp

    Filesize

    616KB

  • memory/2832-19-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

    Filesize

    4KB