Malware Analysis Report

2024-11-13 17:36

Sample ID 241110-b3p2wawkhx
Target cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N
SHA256 cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99
Tags
upx revengerat discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99

Threat Level: Known bad

The file cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N was found to be: Known bad.

Malicious Activity Summary

upx revengerat discovery stealer trojan

Revengerat family

RevengeRAT

RevengeRat Executable

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

UPX packed file

AutoIT Executable

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:40

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:42

Platform

win7-20240708-en

Max time kernel

18s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe

"C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe"

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -170038961 -chipderedesign -95b74d3ff5dd40ef8f0a0ce960ef14a9 - -BLUB2 -ufxomuuzahuqcbtd -2184

Network

Country Destination Domain Proto
US 8.8.8.8:53 api2.chip-secured-download.de udp
DE 116.203.169.158:80 api2.chip-secured-download.de tcp
US 8.8.8.8:53 ocs2.chdi-server.de udp
DE 116.203.169.153:8080 ocs2.chdi-server.de tcp

Files

memory/2184-0-0x0000000000D30000-0x0000000000FF2000-memory.dmp

\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

MD5 b4a0146baa90f5492ab02e870e85c409
SHA1 7b0ea47c654d906ae28fcb182eeb5a8c3bef4978
SHA256 d6587abcdb9ef01d5b6106566648a2a22fa900d1af7adb5f9fa0db831a01ee5a
SHA512 0fadeb7c52088cb7cafc0a1300ffb41ab18dfcfd50a17bfac07d8581964835af89b72188162f2c080b2da9ca9f0dd83733632b857fa6d6b388bee12be697bee2

memory/2548-16-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/2548-17-0x0000000000200000-0x0000000000274000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DMR\ufxomuuzahuqcbtd.dat

MD5 42e1d178a19796b2736775c165eee77d
SHA1 531db50df6ef26c8efbeace2ca56671b9e0ab6ba
SHA256 9060d97a561641d6e45f5aa2812df97d07c5f46bc3e6b1e7781467a6aa665bf7
SHA512 4a1f6808cfb8bec624c7634fe80c0a22d062fee48f536c2edc74462458359d094372d1e09c1a5850b800a9c5670b93f6e904e404e58aa544cd9be118331bbd16

memory/2548-19-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2548-20-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2548-21-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2548-22-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2184-23-0x0000000000D30000-0x0000000000FF2000-memory.dmp

memory/2548-24-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/2548-25-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2548-26-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2548-27-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2548-28-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2548-29-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:40

Reported

2024-11-10 01:42

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe

"C:\Users\Admin\AppData\Local\Temp\cfd4319b50d6bfdad23a68f089b3d97dee2806360e9dee3816cc37cd2a99fe99N.exe"

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -170038961 -chipderedesign -95b74d3ff5dd40ef8f0a0ce960ef14a9 - -BLUB2 -wcgnbooqjauqyxwb -2360

Network

Country Destination Domain Proto
US 8.8.8.8:53 api2.chip-secured-download.de udp
DE 116.203.169.158:80 api2.chip-secured-download.de tcp
US 8.8.8.8:53 ocs1.chdi-server.de udp
US 8.8.8.8:53 158.169.203.116.in-addr.arpa udp
DE 116.203.169.152:443 ocs1.chdi-server.de tcp
US 8.8.8.8:53 152.169.203.116.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 70.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/2360-0-0x0000000000E10000-0x00000000010D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

MD5 b4a0146baa90f5492ab02e870e85c409
SHA1 7b0ea47c654d906ae28fcb182eeb5a8c3bef4978
SHA256 d6587abcdb9ef01d5b6106566648a2a22fa900d1af7adb5f9fa0db831a01ee5a
SHA512 0fadeb7c52088cb7cafc0a1300ffb41ab18dfcfd50a17bfac07d8581964835af89b72188162f2c080b2da9ca9f0dd83733632b857fa6d6b388bee12be697bee2

memory/216-13-0x00007FF8E2443000-0x00007FF8E2445000-memory.dmp

memory/216-14-0x0000000000240000-0x00000000002B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DMR\wcgnbooqjauqyxwb.dat

MD5 42e1d178a19796b2736775c165eee77d
SHA1 531db50df6ef26c8efbeace2ca56671b9e0ab6ba
SHA256 9060d97a561641d6e45f5aa2812df97d07c5f46bc3e6b1e7781467a6aa665bf7
SHA512 4a1f6808cfb8bec624c7634fe80c0a22d062fee48f536c2edc74462458359d094372d1e09c1a5850b800a9c5670b93f6e904e404e58aa544cd9be118331bbd16

memory/216-16-0x00007FF8E2440000-0x00007FF8E2F01000-memory.dmp

memory/216-17-0x00007FF8E2440000-0x00007FF8E2F01000-memory.dmp

memory/216-18-0x00007FF8E2440000-0x00007FF8E2F01000-memory.dmp

memory/216-19-0x00007FF8E2440000-0x00007FF8E2F01000-memory.dmp

memory/2360-20-0x0000000000E10000-0x00000000010D2000-memory.dmp

memory/216-22-0x00007FF8E2440000-0x00007FF8E2F01000-memory.dmp