General

  • Target

    d501d27e1fbaeb2616d25c7c62d532a8a0d0f6f9aa8cbaa1b5d643c3a4936f3eN

  • Size

    948KB

  • Sample

    241020-qc53qs1gqn

  • MD5

    c83e83d7f6694f711b5a0978b65d8e60

  • SHA1

    fd1d8ffef30043088d78341c83f132b0df627bb7

  • SHA256

    d501d27e1fbaeb2616d25c7c62d532a8a0d0f6f9aa8cbaa1b5d643c3a4936f3e

  • SHA512

    7b2cb73dba159130378d87d45ea4a2c0afe34d1ccdbe3068e63626ef8ea351cf4183a6ce33aacb65d2ebbc7722c2d7189e5615977f91c98418780d0c42cab8ce

  • SSDEEP

    24576:8AHnh+eWsN3skA4RV1Hom2KXMmHalSLUf5U:bh+ZkldoPK8YalvU

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

flames.hernetek.com:2522

Mutex

RV_MUTEX-LuSAtYBxGgZH

Targets

    • Target

      d501d27e1fbaeb2616d25c7c62d532a8a0d0f6f9aa8cbaa1b5d643c3a4936f3eN

    • Size

      948KB

    • MD5

      c83e83d7f6694f711b5a0978b65d8e60

    • SHA1

      fd1d8ffef30043088d78341c83f132b0df627bb7

    • SHA256

      d501d27e1fbaeb2616d25c7c62d532a8a0d0f6f9aa8cbaa1b5d643c3a4936f3e

    • SHA512

      7b2cb73dba159130378d87d45ea4a2c0afe34d1ccdbe3068e63626ef8ea351cf4183a6ce33aacb65d2ebbc7722c2d7189e5615977f91c98418780d0c42cab8ce

    • SSDEEP

      24576:8AHnh+eWsN3skA4RV1Hom2KXMmHalSLUf5U:bh+ZkldoPK8YalvU

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks