Overview

overview

10

Static

static

5

43a2a6b018...bN.exe

windows7-x64

10

43a2a6b018...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 17:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43a2a6b018663421f24500b1ec5d9b4acbe1079eb1aff150c942362eef63e8bbN.exe

  • Size

    1.3MB

  • MD5

    9c99e626dc35444077a3682e043bef30

  • SHA1

    97d31f72832e3802392e5eb1c809a728e927f31d

  • SHA256

    43a2a6b018663421f24500b1ec5d9b4acbe1079eb1aff150c942362eef63e8bb

  • SHA512

    2e6fcc3e3119adbd2371e0f5ec95b6cf64210ed0b7036a288fcf313d8c4df3a4775f554cc49880ba3b64eb7dccf151fd28e3be5243d04a2847ecaaee720e8d25

  • SSDEEP

    24576:5q5TfcdHj4fmbYs2qPIVf3+2/0dNGby6z3JLUOXxA9yozBF0:5UTsamXxwf3+2/MNGCOXxAg

Score
10/10
revengeratdiscoverystealertrojanupx

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43a2a6b018663421f24500b1ec5d9b4acbe1079eb1aff150c942362eef63e8bbN.exe
    "C:\Users\Admin\AppData\Local\Temp\43a2a6b018663421f24500b1ec5d9b4acbe1079eb1aff150c942362eef63e8bbN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
      "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54382746 -chipderedesign -24dc92a00a6b4763a0af5b235e7748dd - -BLUB2 -dycwzzqisudrgdun -448
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
    Filesize

    450KB

    MD5

    dd551f9fa3d59465c2aeaba84f036bdd

    SHA1

    756b7ee2fa9d9aa9f1ca374a4ccfd1d1ba6e4541

    SHA256

    3a2b4292b8dc9a8834108ead7e55194c83a55a70e0ff15afcce4f2b028ef88ab

    SHA512

    01e92c563bd8d16ccd23102d56cb6ee4f4c6df02f2809ae5ab72f2b5a800f923452eb78f515c660c5d2713b57ae8652e3d95b1176fbd6f586ed36ea2acbad1aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DMR\dycwzzqisudrgdun.dat
    Filesize

    218B

    MD5

    394a207934ba893c9f13f9ac81e062f2

    SHA1

    a6dbda098937d8c972a432319fd3f60acaa40d57

    SHA256

    a5d7a4640931120269804a7ec8f5ce2e2c5da5ee656ee089f4292997cfc50e11

    SHA512

    4c7580825e8c734618c6eba6ceaaea211810c7992c25972d62d9169a5a4e4ab9902e766560614ef7d8e98fa7d4e88d699590d781c6cc179d0c4d2e100f7f452b

    Download Submit

  • memory/448-0-0x0000000000960000-0x0000000000C24000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/448-20-0x0000000000960000-0x0000000000C24000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/3096-13-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3096-14-0x00000000004E0000-0x0000000000554000-memory.dmp

    Filesize

    464KB

    Download

  • memory/3096-16-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3096-17-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3096-18-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3096-19-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3096-22-0x000000001E2F0000-0x000000001E3F2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3096-23-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

    Filesize

    10.8MB

    Download