revengerat | cd408aa67ec73ca9938dd4f97e1f520cd106466752c48d41547d9dee38efaef7

General

Target

2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
Size

351KB
MD5

cc9ab55b63738d3320e4249f210eb21a
SHA1

fe81d79df7e3e0497501ba9627962c25693c1f1c
SHA256

cd408aa67ec73ca9938dd4f97e1f520cd106466752c48d41547d9dee38efaef7
SHA512

acee588a3c0d4357af531411797235cac1df733b77754f77a171e916b93a4631d539ce3b504d2d06d9de92c51439203c93077ea2b3bc1b1ef0ccd2590b21cc18
SSDEEP

6144:cpIOU6F4Z5zkR0R5r3PsnrysQHRxv3S9Sy+lDAA3W:GIj6uNkRirCQDekdAAm

Score

10^/10

revengerat spam discovery trojan

Malware Config

Extracted

Family

revengerat

Botnet

SPAM

C2

kilimanjaro.cloudns.nz:8809

kilimanjaro.run.place:8809

kilimanjaro.crabdance.com:8809

kilimanjaro.bigmoney.biz:8809

kilimanjaro.theworkpc.com:8809

burkinafaso.duckdns.org:8809

Mutex

RV_MUTEX-GYuaWVCGnhpCsG

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/3336-1-0x00000000000A0000-0x00000000000FA000-memory.dmp	net_reactor

Suspicious use of SetThreadContext 1 IoCs

Processes:

2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe

description	pid	process	target process
PID 3336 set thread context of 532	3336	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe

description	pid	process	target process
PID 3336 wrote to memory of 532	3336	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
PID 3336 wrote to memory of 532	3336	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
PID 3336 wrote to memory of 532	3336	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
PID 3336 wrote to memory of 532	3336	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
PID 3336 wrote to memory of 532	3336	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
PID 3336 wrote to memory of 532	3336	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
PID 3336 wrote to memory of 532	3336	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe	2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe

C:\Users\Admin\AppData\Local\Temp\2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2024-10-30_cc9ab55b63738d3320e4249f210eb21a_hiddentear_hijackloader.exe.log

Filesize
520B

MD5
41c37de2b4598f7759f865817dba5f80

SHA1
884ccf344bc2dd409425dc5ace0fd909a5f8cce4

SHA256
427235491a8da3fc8770ed60d30af731835c94585cd08d4d81fca9f703b283bc

SHA512
a8f3c74916623de100e4cf22e05df9cdf541b1e32443aab0434f35fb9c4a7fa950b997ce589b532e65731ae471a1f152cd5c00ea1df4bd7a6b57eb27c93c54bd

Download Submit
memory/532-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/532-8-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/532-9-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/532-11-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/532-12-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3336-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/3336-1-0x00000000000A0000-0x00000000000FA000-memory.dmp

Filesize
360KB

Download
memory/3336-2-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3336-3-0x00000000053E0000-0x0000000005984000-memory.dmp

Filesize
5.6MB

Download
memory/3336-4-0x0000000004B20000-0x0000000004B28000-memory.dmp

Filesize
32KB

Download
memory/3336-10-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads