Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/D...

windows11-21h2-x64

10

Resubmissions

09/08/2024, 14:32

240809-rwb5fa1hkn 10

09/08/2024, 13:52

240809-q6tlssvfkf 10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/08/2024, 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/RAT/RevengeRAT.exe

Score
10/10
revengeratguestdefense_evasiondiscoverystealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/raw/master/RAT/RevengeRAT.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5e933cb8,0x7ffd5e933cc8,0x7ffd5e933cd8
      2⤵
        PID:3668
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1816 /prefetch:2
        2⤵
          PID:1364
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5080
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
          2⤵
            PID:2552
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
            2⤵
              PID:3536
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
              2⤵
                PID:4456
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:5028
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
                2⤵
                  PID:4968
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
                  2⤵
                    PID:2236
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4652
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                    2⤵
                      PID:2792
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 /prefetch:8
                      2⤵
                        PID:3704
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                        2⤵
                          PID:4008
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
                          2⤵
                            PID:2532
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,6640505506839076106,936114770755106371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
                            2⤵
                            • Subvert Trust Controls: Mark-of-the-Web Bypass
                            • NTFS ADS
                            • Suspicious behavior: EnumeratesProcesses
                            PID:5108
                          • C:\Users\Admin\Downloads\RevengeRAT.exe
                            "C:\Users\Admin\Downloads\RevengeRAT.exe"
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3700
                            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                              3⤵
                              • Suspicious use of SetThreadContext
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2208
                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:1164
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4768
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:5064

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              e61a11153a13448837bc343c1fe39dd0

                              SHA1

                              7d2868000fbcd08fd673ebaeb4b5699dcae43956

                              SHA256

                              231eba7dce28088414e4a6b52d2cb4802756b2e09f6226a50226d42de710db33

                              SHA512

                              32cded5de2b81dde53bb3caf402ead0f4566b53b2f6d9ae492395e460cb1c5dc636f912f10db6dcbcb7f398e187df9873ddd9ba945e37c23bbef138f100c5fab

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              641b075e84224debebae68904cd9a48d

                              SHA1

                              1464b1a57ea1bcb3f2c729e42c3c598a76d25496

                              SHA256

                              1f6ab1d39073f88247e1dc89e70590d603b2e29a19583e4ca9e01c3a8c6f009c

                              SHA512

                              17d0d29c0721e561281cff75cafa06e46bd0e95ebb44d408cd1526139d91fcd725705f3f58817b82fe0f0e3bb3775920a0e858b1ba44df745b3c700670c21e34

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                              Filesize

                              261B

                              MD5

                              2c2e6472d05e3832905f0ad4a04d21c3

                              SHA1

                              007edbf35759af62a5b847ab09055e7d9b86ffcc

                              SHA256

                              283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

                              SHA512

                              8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              0bf189a794d09cb2d4d44fb811710478

                              SHA1

                              2150868f6a23fa55bbcf2373aa33342fa15e71ca

                              SHA256

                              76c199b5be87434d2345ec882da7acd2233e5ca85a8b8888d6c99df2358c570e

                              SHA512

                              538a7918e92bc3b420f340eb82dda7de4a42372251c3a6941d51358aab770d230d4f4181afe394f61b02485689d52406949f079852661823fcbcb33974c9906d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              2d6b90f0686a7dc0d01c96795161e4f8

                              SHA1

                              2ba5bbc2d59fc83a49c5c5820ed2080d214c3d24

                              SHA256

                              5d8c2a1540b2a9b0c39ad2ca67d75466a533d8b0a14796a7865ad9ff0414b148

                              SHA512

                              77147a1723c08ce9a9518242eeca02e145d370bb76c3d9748c3514f142cc10840f043c5484de24b899da26feba194adf6ea9dceb3869ecb769707d240cb6f203

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              8ea7cb9e58ab152cf09d78f8a5b1495f

                              SHA1

                              03eccf9ba6cbe1b90353c70de410216b8cb9265a

                              SHA256

                              4ad49d0aab5ff28beb58df8e871d94fb5a067e6af0c771c7553b1d076966f6b4

                              SHA512

                              5ec8c317d0877c7418e3c800e01796fb254b3ae4aa0019cc032d8a9e84740c76cd8dab63110810ee67c171a22b192243e0d7a09a410f59efbeb1bdbfa0635850

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                              Filesize

                              25KB

                              MD5

                              c02f86f1d1ab1a8764080e1c74afd3de

                              SHA1

                              56d1f3b09fcf47b2340b206dc048bbe48b897d37

                              SHA256

                              a97ff003f2ef85fab106176090f83c6ee305d0d290c903786c12c3b16e80aa4a

                              SHA512

                              cf2179a93a3b3253a0f6e23a612790eeb82c1a5613998e97644653f6681b812eceff68adb88cc00cefd74d91d82a974346189e49b22fa7bf57450d877099014b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              206702161f94c5cd39fadd03f4014d98

                              SHA1

                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                              SHA256

                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                              SHA512

                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              10KB

                              MD5

                              ffbc4b4c4e851402fcffbe5ea9559861

                              SHA1

                              99712dbfd29e6f7cf7154cb21712f75c0d60101b

                              SHA256

                              680f055f4c46253c12648ccd2d83a0601c6c46b9e1930a442b4149dc5df3f567

                              SHA512

                              e0469620420395a4dcef6960abe5cde6bc3feebafc11237a52683f799496db9474a56a234013ef8b75521b1f7a24337dbc3f6248cdf2123cf98f1914e5884e17

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              10KB

                              MD5

                              abdb56667a057ccb2273299c24bac89e

                              SHA1

                              407c522952427f34b4391d726ddc813098ef9e57

                              SHA256

                              e1904834c1570b4223bc6f842192ee1a85a93a68b35fa478caecee0b00f9786b

                              SHA512

                              7ab135eb56fa183354921887d423ff9c289e0b1b57bc5b212647d3942330a2919a97c0ecca5f7a76400ae3e35178bcde984ddfa9b8974938e273050752f3577d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              10KB

                              MD5

                              9c0f55cd9dcf4386ff1bc4ff780cbf8d

                              SHA1

                              c5495468155d52661f4284cf5b9b6a103c2bd6e2

                              SHA256

                              bf89818370acaf4b8a8aeff2040d6cbcfea3cb3e2bff735bb901cc87f09ae2e1

                              SHA512

                              8073ef4620d644b675b97f6da97f56c2129949d0ff5c7053e1fc0fb11ac222c289ca95ebc5e5b86654b858f49a192359612ad35a11fa8d1741c90603db6670c0

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt
                              Filesize

                              39B

                              MD5

                              502984a8e7a0925ac8f79ef407382140

                              SHA1

                              0e047aa443d2101eb33ac4742720cb528d9d9dba

                              SHA256

                              d25b36f2f4f5ec765a39b82f9084a9bde7eb53ac12a001e7f02df9397b83446c

                              SHA512

                              6c721b4ae08538c7ec29979da81bc433c59d6d781e0ce68174e2d0ca1abf4dbc1c353510ce65639697380ccd637b9315662d1f686fea634b7e52621590bfef17

                              Download Submit

                            • C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier
                              Filesize

                              26B

                              MD5

                              fbccf14d504b7b2dbcb5a5bda75bd93b

                              SHA1

                              d59fc84cdd5217c6cf74785703655f78da6b582b

                              SHA256

                              eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                              SHA512

                              aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                              Download Submit

                            • C:\Users\Admin\Downloads\Unconfirmed 400556.crdownload
                              Filesize

                              4.0MB

                              MD5

                              1d9045870dbd31e2e399a4e8ecd9302f

                              SHA1

                              7857c1ebfd1b37756d106027ed03121d8e7887cf

                              SHA256

                              9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

                              SHA512

                              9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

                              Download Submit

                            • memory/1164-113-0x0000000000400000-0x000000000040C000-memory.dmp

                              Filesize

                              48KB

                              Download

                            • memory/2208-112-0x0000000000400000-0x0000000000420000-memory.dmp

                              Filesize

                              128KB

                              Download

                            • memory/3700-108-0x000000001BD80000-0x000000001C24E000-memory.dmp

                              Filesize

                              4.8MB

                              Download

                            • memory/3700-109-0x000000001C250000-0x000000001C2F6000-memory.dmp

                              Filesize

                              664KB

                              Download

                            • memory/3700-110-0x000000001C3C0000-0x000000001C422000-memory.dmp

                              Filesize

                              392KB

                              Download