Extracted

• • Target

    download.jpeg

  • Size

    8KB

  • MD5

    481a86abe01f14ad73d0d93e454ed545

  • SHA1

    065757d42e841d3448ea2ed5faae9ee0bf9aed97

  • SHA256

    ffd75540b52e4e5ad5725d58ce5af9d65e4984789aff76d82ad2fc5715df0357

  • SHA512

    b39935b0a026fe5c500c7e575da1922f22cf8a439b22d74ff1a7187b3786c18a7ae5568f9f34af4279560fba5a741a3760613eb903f836d444b246c5d56ed4d5

  • SSDEEP

    192:eWY1Lq5qF7bH2cGfx/XmqUZWJgrKj14Y25DXiX:eWY1FJrufBXvIKR14T5WX

  Score

  10^/10

  revengeratguestdiscoverypersistenceprivilege_escalationstealertrojan

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat

  • Revengerat family

    revengerat

  • RevengeRat Executable

    stealer

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2