Overview

overview

10

Static

static

10

c62d7667ff...ed.exe

windows7-x64

10

c62d7667ff...ed.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    72s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c62d7667ff8aaec6cc8795a086e904a16a11167657c62a78f51593ee67e524ed.exe

  • Size

    60KB

  • MD5

    0a5e0c27c9d2048cd79b908fb3e50457

  • SHA1

    8ab00cc61c021eabbb30ea885f123ad662eedc75

  • SHA256

    c62d7667ff8aaec6cc8795a086e904a16a11167657c62a78f51593ee67e524ed

  • SHA512

    f589040fb2d6143aec610c635424a0ed6f744dfd8a52d980bee45d22446d2cfc5a99d200287640e25e6557c8ef11d9b22eb9207bd93f8dead87efbc1b57b4f81

  • SSDEEP

    1536:6FIKcG3XCvYtGq2gkXp1z7r5bjzjFnpVjyl+u:6FIE3Cyh2th7NL1jq+u

Score
10/10
revengeratdiscoverystealertrojan

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c62d7667ff8aaec6cc8795a086e904a16a11167657c62a78f51593ee67e524ed.exe
    "C:\Users\Admin\AppData\Local\Temp\c62d7667ff8aaec6cc8795a086e904a16a11167657c62a78f51593ee67e524ed.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2776
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Casspol
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Casspol"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hwiejYAoBL.txt
    Filesize

    102B

    MD5

    55c1421bc5b62a78f39f819a3fb4dda5

    SHA1

    93c66da2a9e418931e038fc574a75fee95235133

    SHA256

    0464ee8094d17b5b5548d3bb69da24e27786ec0e5cb162daf984523bb0f172cf

    SHA512

    a80302928ae66e75213169b7bd485e501f5814acbefd84e9074f3f282ace4b722c9347a4d8de647af7f83fc4eed580018a96cb684072bc1ec33bd92700750614

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    d3ed4b38d30378533efd81285ca89e74

    SHA1

    72603cdc112a0c8d7402a8ff668f025b0f41701e

    SHA256

    4b2b75c75624b3573dbe7e1365109d40fdf6fd6ddd0b1b715604e9f66fcddcf8

    SHA512

    d95be9c0064f3cc131514bda63b4d56cd7fdc7a21349b33f3e85762bae96ddb4e30e6089d460347ddd244c5c6a502619cec028dced3fb3b9f14fa0fdadeb9e24

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Casspol
    Filesize

    60KB

    MD5

    0a5e0c27c9d2048cd79b908fb3e50457

    SHA1

    8ab00cc61c021eabbb30ea885f123ad662eedc75

    SHA256

    c62d7667ff8aaec6cc8795a086e904a16a11167657c62a78f51593ee67e524ed

    SHA512

    f589040fb2d6143aec610c635424a0ed6f744dfd8a52d980bee45d22446d2cfc5a99d200287640e25e6557c8ef11d9b22eb9207bd93f8dead87efbc1b57b4f81

    Download Submit

  • memory/1824-9-0x0000000000080000-0x0000000000096000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1824-6-0x0000000000080000-0x0000000000096000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1824-20-0x0000000000080000-0x0000000000096000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1824-17-0x0000000000080000-0x0000000000096000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1824-14-0x0000000000080000-0x0000000000096000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1824-4-0x0000000000080000-0x0000000000096000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1824-7-0x0000000000080000-0x0000000000096000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1824-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-5-0x0000000000080000-0x0000000000096000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1824-37-0x0000000071F9E000-0x0000000071F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-21-0x0000000071F9E000-0x0000000071F9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-0-0x0000000074C51000-0x0000000074C52000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-2-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2524-1-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2524-22-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2524-36-0x0000000074C50000-0x00000000751FB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2776-23-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2776-29-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2776-34-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2776-32-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2776-35-0x0000000071F90000-0x000000007267E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2776-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2776-24-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2776-38-0x0000000071F90000-0x000000007267E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2776-26-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2776-25-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download