revengerat | e002c343738db4a81559773f2bb2540d485f03cadcaa98eeceb6ea6090191f09 | Triage

Sharing

General

Target

ef89cea9368a2b47907cf970e7607d52_JaffaCakes118
Size

59KB
Sample

240921-lv39mswdje
MD5

ef89cea9368a2b47907cf970e7607d52
SHA1

87fe9ba46aeb16d0a41771e7b546806fef50dda0
SHA256

e002c343738db4a81559773f2bb2540d485f03cadcaa98eeceb6ea6090191f09
SHA512

e212f77d300d3507d5b013cb2626e8101d871286c3adc117b60605b095a5c5101e213f658ad6a8efed72d0285eb8eaf4c61f52d2ff2f2c126b315202e02d2dc9
SSDEEP

768:BpvgWaSs4U3vVOrEmiyE5pbUieSeK8KDoZwA5h6UHag5mik2WJOq7h9YAK:BpvLB+vVOt2GKzYh9H1gikTOqt9YAK

Score

10^/10

revengerat doka discovery persistence trojan

Malware Config

Extracted

Family

revengerat

Botnet

doka

C2

94.23.193.139:662

kahbata3chelaf.fr:662

kahbata3chelaf.com:662

Mutex

ccccccccc-kuiGGjjtnxDp

Targets

- Target
  
  ef89cea9368a2b47907cf970e7607d52_JaffaCakes118
- Size
  
  59KB
- MD5
  
  ef89cea9368a2b47907cf970e7607d52
- SHA1
  
  87fe9ba46aeb16d0a41771e7b546806fef50dda0
- SHA256
  
  e002c343738db4a81559773f2bb2540d485f03cadcaa98eeceb6ea6090191f09
- SHA512
  
  e212f77d300d3507d5b013cb2626e8101d871286c3adc117b60605b095a5c5101e213f658ad6a8efed72d0285eb8eaf4c61f52d2ff2f2c126b315202e02d2dc9
- SSDEEP
  
  768:BpvgWaSs4U3vVOrEmiyE5pbUieSeK8KDoZwA5h6UHag5mik2WJOq7h9YAK:BpvLB+vVOt2GKzYh9H1gikTOqt9YAK
Score

10^/10

revengerat doka discovery persistence trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Scripting

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

revengeratdokadiscoverypersistencetrojan

behavioral2

revengeratdokadiscoverypersistencetrojan