Overview

overview

10

Static

static

3

db1bed0fcb...18.exe

windows7-x64

10

db1bed0fcb...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2024 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db1bed0fcb8b96baabc8163efc6c3f32726f8840ca135a741a35c7abd6c04018.exe

  • Size

    1.7MB

  • MD5

    570388d87360d6bd982993aedaddbac0

  • SHA1

    883499305bb02ac67ab22688ce1f6c6fb2c13bdb

  • SHA256

    db1bed0fcb8b96baabc8163efc6c3f32726f8840ca135a741a35c7abd6c04018

  • SHA512

    0f5afd85cd6cfb3958cf5fc1aeaba2872eb1218bb5da86a93ff2148b3a5eaf2b69c38786841106b6bd72e215309ecaab2a61a0d864f0703691fc1499d469d054

  • SSDEEP

    49152:vcGL0yvl07QwY4AYgH1DsAyhYtzo/V/8I56KHygdmQPgQvz2/:vcGTvDwYvHOdozm8I5nygdnJb2/

Score
10/10
revengeratguestdiscoverypersistencestealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:333

Mutex

RV_MUTEX-vZblRvZwfRtNH

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 31 IoCs
    stealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db1bed0fcb8b96baabc8163efc6c3f32726f8840ca135a741a35c7abd6c04018.exe
    "C:\Users\Admin\AppData\Local\Temp\db1bed0fcb8b96baabc8163efc6c3f32726f8840ca135a741a35c7abd6c04018.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Users\Admin\AppData\Local\Temp\db1bed0fcb8b96baabc8163efc6c3f32726f8840ca135a741a35c7abd6c04018.exe
      C:\Users\Admin\AppData\Local\Temp\db1bed0fcb8b96baabc8163efc6c3f32726f8840ca135a741a35c7abd6c04018.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Users\Admin\AppData\Roaming\Client.exe
        "C:\Users\Admin\AppData\Roaming\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Users\Admin\AppData\Roaming\Client.exe
          C:\Users\Admin\AppData\Roaming\Client.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Client.exe
    Filesize

    1.7MB

    MD5

    570388d87360d6bd982993aedaddbac0

    SHA1

    883499305bb02ac67ab22688ce1f6c6fb2c13bdb

    SHA256

    db1bed0fcb8b96baabc8163efc6c3f32726f8840ca135a741a35c7abd6c04018

    SHA512

    0f5afd85cd6cfb3958cf5fc1aeaba2872eb1218bb5da86a93ff2148b3a5eaf2b69c38786841106b6bd72e215309ecaab2a61a0d864f0703691fc1499d469d054

    Download Submit

  • memory/396-11-0x0000000000400000-0x0000000000763000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/396-1-0x0000000000400000-0x0000000000763000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/396-0-0x0000000000400000-0x0000000000763000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2404-62-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-71-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-68-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-67-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-66-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-65-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-64-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-63-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-70-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-69-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-60-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-61-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-55-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-56-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-57-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-58-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-59-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-54-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-51-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2404-52-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-20-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-12-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-28-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-39-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-42-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-41-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-40-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-2-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-27-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-6-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-26-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-25-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-24-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-23-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-22-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-29-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-13-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-14-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-15-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-21-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-16-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-18-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-19-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-17-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-4-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-9-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2624-10-0x0000000000400000-0x00000000007D4000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4056-53-0x0000000000400000-0x0000000000763000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4056-43-0x0000000000400000-0x0000000000763000-memory.dmp

    Filesize

    3.4MB

    Download