revengerat | 2f96b6d5ef6172428479cef8a3d2083438aed499b5d68cb3ce5672e6f661efd6

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acebab38e2cefb85e46de5b50dec7753_JaffaCakes118.exe
Size

1.3MB
MD5

acebab38e2cefb85e46de5b50dec7753
SHA1

7dcbbd5f115c9d8a8028ebc21a06f45dbaceab08
SHA256

2f96b6d5ef6172428479cef8a3d2083438aed499b5d68cb3ce5672e6f661efd6
SHA512

d119cabc22dc8cbde7ba9c09af295fc48f3323c3e3b80bdebd326f16fe83cbe96da2692af16c59c6704dd859b4fa345fcf7a19b24f87f40060a5940412419364
SSDEEP

24576:bsWDjD9t8+vEoT3ZQcYH/NcfWU5JU8GVadPUhdA1/LG/oQaV+1LVO:bjDXf8+vEoT3u315Uw8sXdA1/L8aA1Y

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023467-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
4984	muBlinder.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acebab38e2cefb85e46de5b50dec7753_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4984	muBlinder.exe
4984	muBlinder.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 4984	740	acebab38e2cefb85e46de5b50dec7753_JaffaCakes118.exe	87
PID 740 wrote to memory of 4984	740	acebab38e2cefb85e46de5b50dec7753_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\acebab38e2cefb85e46de5b50dec7753_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\acebab38e2cefb85e46de5b50dec7753_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\muBlinder.exe
  "C:\Users\Admin\AppData\Local\Temp\muBlinder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\muBlinder.exe

Filesize
1.4MB

MD5
61129b8736077474cf665be845b03bb9

SHA1
de42f7e97f7045652edc80bc89ec31369144f3fb

SHA256
73b264f2012f0e97fedde037a5cb1dc18076539f77fbeafc142fe8804cd7196d

SHA512
4a285030828b1999674911d5c8d760689f1461324f47c12b939b2fe92ee73fd18bc8aa89069c7b505614501cc33911081381040b5e9a1481c3d2f621411b997f

Download Submit
memory/4984-7-0x00007FFA9F9C5000-0x00007FFA9F9C6000-memory.dmp

Filesize
4KB

Download
memory/4984-8-0x000000001B240000-0x000000001B2E6000-memory.dmp

Filesize
664KB

Download
memory/4984-9-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-10-0x000000001B820000-0x000000001BCEE000-memory.dmp

Filesize
4.8MB

Download
memory/4984-11-0x000000001BD90000-0x000000001BE2C000-memory.dmp

Filesize
624KB

Download
memory/4984-12-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-13-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/4984-14-0x000000001BEF0000-0x000000001BF3C000-memory.dmp

Filesize
304KB

Download
memory/4984-15-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-16-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-17-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-18-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-19-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-20-0x00007FFA9F9C5000-0x00007FFA9F9C6000-memory.dmp

Filesize
4KB

Download
memory/4984-21-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-22-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download
memory/4984-23-0x00007FFA9F710000-0x00007FFAA00B1000-memory.dmp

Filesize
9.6MB

Download