Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 20:52 UTC

General

  • Target

    6b5ea50ade8fd94ea3b976cf695af2a7e5073a58f009acf36da25ba7d74d07a3N.exe

  • Size

    952KB

  • MD5

    793162a4ab2bda8dbdb6e4ff9dd1a320

  • SHA1

    9a6bffd6d6ddcea0876570df7134b8d78a7efae7

  • SHA256

    6b5ea50ade8fd94ea3b976cf695af2a7e5073a58f009acf36da25ba7d74d07a3

  • SHA512

    cc437d202872bed9117956b52c2e01bb551ab93f20c194f7d01f19deaae1075758473e1aa01ca3dd79cad24738550802c4caadd197a0ebd3c1302d73a8759350

  • SSDEEP

    24576:2AHnh+eWsN3skA4RV1HDm2KXMmHaKZT59:Rh+ZkldDPK8YaKj9

Malware Config

Extracted

Family

revengerat

Botnet

Marzo26

C2

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

  • Drops startup file 1 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b5ea50ade8fd94ea3b976cf695af2a7e5073a58f009acf36da25ba7d74d07a3N.exe
    "C:\Users\Admin\AppData\Local\Temp\6b5ea50ade8fd94ea3b976cf695af2a7e5073a58f009acf36da25ba7d74d07a3N.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4884
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2904

Network

  • flag-us
    DNS
    marzorevenger.duckdns.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    marzorevenger.duckdns.org
    IN A
    Response
    marzorevenger.duckdns.org
    IN A
    186.85.86.137
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    marzorevenger.duckdns.org
    RegAsm.exe
    Remote address:
    8.8.8.8:53
    Request
    marzorevenger.duckdns.org
    IN A
    Response
    marzorevenger.duckdns.org
    IN A
    186.85.86.137
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 186.85.86.137:4230
    marzorevenger.duckdns.org
    RegAsm.exe
    260 B
    5
  • 186.85.86.137:4230
    marzorevenger.duckdns.org
    RegAsm.exe
    260 B
    5
  • 186.85.86.137:4230
    marzorevenger.duckdns.org
    RegAsm.exe
    260 B
    5
  • 186.85.86.137:4230
    marzorevenger.duckdns.org
    RegAsm.exe
    260 B
    5
  • 186.85.86.137:4230
    marzorevenger.duckdns.org
    RegAsm.exe
    260 B
    5
  • 186.85.86.137:4230
    marzorevenger.duckdns.org
    RegAsm.exe
    52 B
    1
  • 8.8.8.8:53
    marzorevenger.duckdns.org
    dns
    RegAsm.exe
    71 B
    87 B
    1
    1

    DNS Request

    marzorevenger.duckdns.org

    DNS Response

    186.85.86.137

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    marzorevenger.duckdns.org
    dns
    RegAsm.exe
    71 B
    87 B
    1
    1

    DNS Request

    marzorevenger.duckdns.org

    DNS Response

    186.85.86.137

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2904-2-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

  • memory/2904-6-0x0000000073E02000-0x0000000073E03000-memory.dmp

    Filesize

    4KB

  • memory/2904-7-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

  • memory/2904-8-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

  • memory/2904-10-0x0000000073E02000-0x0000000073E03000-memory.dmp

    Filesize

    4KB

  • memory/2904-11-0x0000000073E00000-0x00000000743B1000-memory.dmp

    Filesize

    5.7MB

  • memory/4884-0-0x00000000006D0000-0x00000000007C3000-memory.dmp

    Filesize

    972KB

  • memory/4884-1-0x0000000000F10000-0x0000000000F11000-memory.dmp

    Filesize

    4KB

  • memory/4884-9-0x00000000006D0000-0x00000000007C3000-memory.dmp

    Filesize

    972KB

  • memory/4884-15-0x00000000006D0000-0x00000000007C3000-memory.dmp

    Filesize

    972KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.