Analysis Overview
SHA256
61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826
Threat Level: Known bad
The file 61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe was found to be: Known bad.
Malicious Activity Summary
Revengerat family
AgentTesla
RevengeRat Executable
RevengeRAT
Credentials from Password Stores: Credentials from Web Browsers
RevengeRat Executable
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Reads WinSCP keys stored on the system
Loads dropped DLL
Reads user/profile data of local email clients
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 01:47
Signatures
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Revengerat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 01:47
Reported
2024-08-06 01:49
Platform
win7-20240729-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
AgentTesla
RevengeRAT
Credentials from Password Stores: Credentials from Web Browsers
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\order = "C:\\Users\\Admin\\AppData\\Roaming\\order.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\VsUPptm = "C:\\Users\\Admin\\AppData\\Roaming\\VsUPptm\\VsUPptm.exe" | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2992 set thread context of 1060 | N/A | C:\Users\Admin\AppData\Roaming\order.exe | C:\Users\Admin\AppData\Roaming\order.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe
"C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "order" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\order.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 18
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe" "C:\Users\Admin\AppData\Roaming\order.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\AppData\Roaming\order.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "order" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\order.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
C:\Users\Admin\AppData\Roaming\order.exe
"C:\Users\Admin\AppData\Roaming\order.exe"
C:\Users\Admin\AppData\Roaming\order.exe
"C:\Users\Admin\AppData\Roaming\order.exe"
C:\Users\Admin\AppData\Roaming\order.exe
"C:\Users\Admin\AppData\Roaming\order.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evdanco.ru | udp |
| RO | 80.96.42.133:587 | evdanco.ru | tcp |
Files
memory/2660-0-0x000000007421E000-0x000000007421F000-memory.dmp
memory/2660-1-0x0000000000E60000-0x0000000000F94000-memory.dmp
memory/2660-2-0x0000000000880000-0x00000000008C4000-memory.dmp
memory/2660-3-0x0000000074210000-0x00000000748FE000-memory.dmp
memory/2660-4-0x0000000074210000-0x00000000748FE000-memory.dmp
\Users\Admin\AppData\Roaming\order.exe
| MD5 | 2ce48ee21074ae8d6828f50d79e00866 |
| SHA1 | 2f33630a3f8999d345a7b8391a1ef2a01bd1caaa |
| SHA256 | 61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826 |
| SHA512 | da43c141dabf296147c094538478319efba2db300fd13f1a80a7005cfa540bf8ec034f72f31000607036c49aafd12f78016e4bf29a84ee65942e6dcdaa3c6381 |
memory/2992-15-0x0000000000BD0000-0x0000000000D04000-memory.dmp
memory/2992-16-0x00000000007E0000-0x00000000007FA000-memory.dmp
memory/2992-17-0x0000000000800000-0x0000000000806000-memory.dmp
memory/1152-22-0x0000000000070000-0x00000000000B8000-memory.dmp
memory/1152-20-0x0000000000070000-0x00000000000B8000-memory.dmp
memory/1152-18-0x0000000000070000-0x00000000000B8000-memory.dmp
memory/1152-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1152-24-0x0000000000070000-0x00000000000B8000-memory.dmp
memory/1060-37-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1060-40-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1060-39-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 01:47
Reported
2024-08-06 01:49
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
141s
Command Line
Signatures
AgentTesla
RevengeRAT
Credentials from Password Stores: Credentials from Web Browsers
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\order = "C:\\Users\\Admin\\AppData\\Roaming\\order.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VsUPptm = "C:\\Users\\Admin\\AppData\\Roaming\\VsUPptm\\VsUPptm.exe" | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3188 set thread context of 4124 | N/A | C:\Users\Admin\AppData\Roaming\order.exe | C:\Users\Admin\AppData\Roaming\order.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\order.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe
"C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 16 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "order" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\order.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 16
C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 17 > nul && copy "C:\Users\Admin\AppData\Local\Temp\61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826.exe" "C:\Users\Admin\AppData\Roaming\order.exe" && ping 127.0.0.1 -n 17 > nul && "C:\Users\Admin\AppData\Roaming\order.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "order" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\order.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 17
C:\Users\Admin\AppData\Roaming\order.exe
"C:\Users\Admin\AppData\Roaming\order.exe"
C:\Users\Admin\AppData\Roaming\order.exe
"C:\Users\Admin\AppData\Roaming\order.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | evdanco.ru | udp |
| RO | 80.96.42.133:587 | evdanco.ru | tcp |
| RO | 80.96.42.133:587 | evdanco.ru | tcp |
Files
memory/1044-0-0x000000007487E000-0x000000007487F000-memory.dmp
memory/1044-1-0x0000000000850000-0x0000000000984000-memory.dmp
memory/1044-2-0x0000000005320000-0x00000000053BC000-memory.dmp
memory/1044-3-0x0000000005AC0000-0x0000000006064000-memory.dmp
memory/1044-4-0x0000000005510000-0x00000000055A2000-memory.dmp
memory/1044-5-0x0000000005480000-0x00000000054C4000-memory.dmp
memory/1044-6-0x0000000074870000-0x0000000075020000-memory.dmp
memory/1044-7-0x0000000005930000-0x000000000593A000-memory.dmp
memory/1044-8-0x0000000074870000-0x0000000075020000-memory.dmp
memory/1044-10-0x0000000074870000-0x0000000075020000-memory.dmp
C:\Users\Admin\AppData\Roaming\order.exe
| MD5 | 2ce48ee21074ae8d6828f50d79e00866 |
| SHA1 | 2f33630a3f8999d345a7b8391a1ef2a01bd1caaa |
| SHA256 | 61b7e05dcfdd88f092265e1ee036a3b9b3cf75132656f9cd40814ad1efb55826 |
| SHA512 | da43c141dabf296147c094538478319efba2db300fd13f1a80a7005cfa540bf8ec034f72f31000607036c49aafd12f78016e4bf29a84ee65942e6dcdaa3c6381 |
memory/3188-16-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3188-17-0x0000000000BC0000-0x0000000000CF4000-memory.dmp
memory/3188-18-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3188-19-0x0000000007400000-0x000000000741A000-memory.dmp
memory/3188-20-0x0000000007470000-0x0000000007476000-memory.dmp
memory/3188-21-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/4124-22-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4124-26-0x00000000050C0000-0x0000000005126000-memory.dmp
memory/3188-27-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/4124-30-0x0000000006930000-0x0000000006980000-memory.dmp