revengerat | 8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f | Triage

Submit
Reports

Overview

overview

Static

static

3

Win32.KeyPass.zip

windows7-x64

Win32.KeyPass.zip

windows10-2004-x64

1

Win32.KeyPass.zip

macos-10.15-amd64

8

Win32.KeyPass.exe

windows7-x64

Win32.KeyPass.exe

windows10-2004-x64

Win32.KeyPass.exe

macos-10.15-amd64

1

Resubmissions

31-10-2024 02:19

241031-crvzeswkft 10

30-10-2024 03:56

241030-ehgrjsvldt 10

Sharing

General

Target

Win32.KeyPass.zip
Size

1.3MB
Sample

241030-ehgrjsvldt
MD5

f831ffa7faa4da66482aa252536e1b0f
SHA1

aa305bd6962ebf06e26462d25140691585f85341
SHA256

8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f
SHA512

3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a
SSDEEP

24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK

Score

10^/10

revengerat rms credential_access defense_evasion discovery evasion execution lateral_movement macos persistence ransomware rat spyware stealer trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Win32.KeyPass.zip

Resource

win7-20241010-en

revengerat rms defense_evasion discovery evasion execution lateral_movement rat stealer trojan upx

windows7-x64

41 signatures

1800 seconds

Behavioral task

behavioral2

Sample

Win32.KeyPass.zip

Resource

win10v2004-20241007-en

windows10-2004-x64

2 signatures

1800 seconds

Behavioral task

behavioral3

Sample

Win32.KeyPass.zip

Resource

macos-20240711.1-en

discovery evasion

macos-10.15-amd64

7 signatures

1800 seconds

Behavioral task

behavioral4

Sample

Win32.KeyPass.exe

Resource

win7-20240903-en

credential_access discovery ransomware spyware stealer

windows7-x64

15 signatures

1800 seconds

Behavioral task

behavioral5

Sample

Win32.KeyPass.exe

Resource

win10v2004-20241007-en

credential_access discovery persistence ransomware spyware stealer

windows10-2004-x64

19 signatures

1800 seconds

Behavioral task

behavioral6

Sample

Win32.KeyPass.exe

Resource

macos-20240711.1-en

macos-10.15-amd64

0 signatures

1800 seconds

Malware Config

Extracted

Path

C:\MSOCache\!!!DECRYPTION__KEYPASS__INFO!!!.txt

Ransom Note

Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS The only method of recovering files is to purchase an decrypt software and unique private key. After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files. You need to contact us by e-mail [email protected] send us your personal ID and wait for further instructions. For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Price for decryption $300. This price avaliable if you contact us first 72 hours. E-mail address to contact us: [email protected] Reserve e-mail address to contact us: [email protected] Your personal id: 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0

Emails

[email protected]

[email protected]

Targets

- Target
  
  Win32.KeyPass.zip
- Size
  
  1.3MB
- MD5
  
  f831ffa7faa4da66482aa252536e1b0f
- SHA1
  
  aa305bd6962ebf06e26462d25140691585f85341
- SHA256
  
  8f8f3834abab12ebd792487a89e45bdb8c8f41b51f232dfb3edb8e8140c9ff8f
- SHA512
  
  3bf39aeb6c52de76aa864fb7d810cb4adbd2c7e0a2b91e8b6865967843044d628ca66a4531c720e5cd75dfb82a371e467f823819c0d9d559bd371efeec1d962a
- SSDEEP
  
  24576:k5yq9y9qttzFVPyDcYwohuvh0GsGkjHkevwLfK4uiIP/nMPbcdKK:cH3FVP8hphuF2Hk1LfK4InMLK
Score

10^/10

revengerat rms defense_evasion discovery evasion execution lateral_movement rat stealer trojan upx
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- Rms family
  rms
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- RevengeRat Executable
  stealer
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Path Permission
  Adversaries may modify directory permissions/attributes to evade access control lists (ACLs) and access protected files.
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion execution
- Modifies file permissions
  discovery
- Uses the VBS compiler for execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Gatekeeper Bypass
  Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apples security model to ensure only trusted applications are executed on a host.
  evasion
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Password Policy Discovery
  Attempt to access detailed information about the password policy used within an enterprise network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2 behavioral3
- Target
  
  Win32.KeyPass.bin
- Size
  
  2.8MB
- MD5
  
  6999c944d1c98b2739d015448c99a291
- SHA1
  
  d9beb50b51c30c02326ea761b5f1ab158c73b12c
- SHA256
  
  35b067642173874bd2766da0d108401b4cf45d6e2a8b3971d95bf474be4f6282
- SHA512
  
  ab883364a8907636c00a4d263670cd495d0e6c521283d40c68d47398163c6ee6647cfbbc2142005121735d9edf0b414ddac6ea468f30db87018c831eaa327276
- SSDEEP
  
  49152:0u1ImfQE5L1PtWHeHoQAOs1dKvHHg/o2S1pj798JGKCO8C/eZRwCr:dzV5JPtWHeHoIs1dGHHx2S1998JGKCOC
Score

10^/10

credential_access discovery ransomware spyware stealer persistence
- Renames multiple (9818) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Drops desktop.ini file(s)
behavioral4 behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

System Services

Service Execution

Persistence

Account Manipulation

Boot or Logon Autostart Execution

Active Setup

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Account Manipulation

Boot or Logon Autostart Execution

Active Setup

Create or Modify System Process

Windows Service

Scheduled Task/Job

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

Linux and Mac File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Resource Forking

Impair Defenses

Disable or Modify System Firewall

Indicator Removal

Clear Persistence

File Deletion

Modify Registry

Subvert Trust Controls

Gatekeeper Bypass

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

File and Directory Discovery

Password Policy Discovery

Permission Groups Discovery

Local Groups

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Remote Service Session Hijacking

RDP Hijacking

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

revengeratrmsdefense_evasiondiscoveryevasionexecutionlateral_movementratstealertrojanupx

behavioral2

behavioral3

discoveryevasion

behavioral4

credential_accessdiscoveryransomwarespywarestealer

behavioral5

credential_accessdiscoverypersistenceransomwarespywarestealer

behavioral6

© 2018-2025

Terms | Privacy