General

  • Target

    d6d0a2663b63dd57235c5dd45ce4465f353c75ac9df8f9f2460be6ae7ef1f739N.exe

  • Size

    1.7MB

  • Sample

    241211-n27xhs1pbz

  • MD5

    9d1b6d3c4c06b74ab02471fa26024a20

  • SHA1

    e5c739a9ae3e1f25c69d9c8e2eec71222e5a0d5f

  • SHA256

    d6d0a2663b63dd57235c5dd45ce4465f353c75ac9df8f9f2460be6ae7ef1f739

  • SHA512

    3aac2eb448be3c27475a9b7f50a2639f17171cf6ddd145cc71a5a15989431cafe7360c3b01a9da050c1c1e5149dc9f5ecb96876585c7f2c2bce4456e089c5a8f

  • SSDEEP

    49152:vcGL0yvl07QwY4AYgH1DsAyhYtzo/V/8I56KHygdmQPgQvz2:vcGTvDwYvHOdozm8I5nygdnJb2

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:333

Mutex

RV_MUTEX-vZblRvZwfRtNH

Targets

    • Target

      d6d0a2663b63dd57235c5dd45ce4465f353c75ac9df8f9f2460be6ae7ef1f739N.exe

    • Size

      1.7MB

    • MD5

      9d1b6d3c4c06b74ab02471fa26024a20

    • SHA1

      e5c739a9ae3e1f25c69d9c8e2eec71222e5a0d5f

    • SHA256

      d6d0a2663b63dd57235c5dd45ce4465f353c75ac9df8f9f2460be6ae7ef1f739

    • SHA512

      3aac2eb448be3c27475a9b7f50a2639f17171cf6ddd145cc71a5a15989431cafe7360c3b01a9da050c1c1e5149dc9f5ecb96876585c7f2c2bce4456e089c5a8f

    • SSDEEP

      49152:vcGL0yvl07QwY4AYgH1DsAyhYtzo/V/8I56KHygdmQPgQvz2:vcGTvDwYvHOdozm8I5nygdnJb2

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Revengerat family

    • RevengeRat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks