Overview

overview

10

Static

static

5

94594c84bb...dN.exe

windows7-x64

10

94594c84bb...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94594c84bb9bc495d57056c5f47e23671b5f811e73823900e4791a84ec85984dN.exe

  • Size

    1.2MB

  • MD5

    96443525ef3471652cfd7b712f7a3860

  • SHA1

    4cf50a54c2126020db87fab1ca1052a12c13ab75

  • SHA256

    94594c84bb9bc495d57056c5f47e23671b5f811e73823900e4791a84ec85984d

  • SHA512

    166dc78dc08c7f35418d6b00dc2eb0d344617a6ff078205e877a927818376d878a56ec693999350ed1ab4047de1f1be80797bf0db28eb085b8b7ba4b2a1755dd

  • SSDEEP

    24576:Wq5TfcdHj4fmbC3F2qGY+Ub5LMmWLui01KzGa+hLJoiLT6zeAfY:WUTsamGFxuLuiUJLJoiLT7

Score
10/10
revengeratdiscoverystealertrojanupx

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94594c84bb9bc495d57056c5f47e23671b5f811e73823900e4791a84ec85984dN.exe
    "C:\Users\Admin\AppData\Local\Temp\94594c84bb9bc495d57056c5f47e23671b5f811e73823900e4791a84ec85984dN.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
      "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54384552 -chipderedesign -12fda0e72d7e417bb68015a09028a020 - -BLUB2 -ahweuyaljzbgbjbo -4968
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DMR\ahweuyaljzbgbjbo.dat
    Filesize

    159B

    MD5

    8b3d37458cf3e95da05b67d617bea6ff

    SHA1

    b10332e0a65bf8fb04647edff101a8101b7f41c0

    SHA256

    c26446ceeec3a3e7269b77e8d131d30d9f535b296fcd28e6227f5a99edba241d

    SHA512

    131daa370e384cb0d7680483ab36b18417c5cc0035d91f4087e7925361e46f17c1712e169ea6e49403d21c77a17b2d3808d255c2bf616f4bd11e2a28ac7cf76e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
    Filesize

    403KB

    MD5

    0e38c05d565ba4f647aa2619fc52f6b9

    SHA1

    cbe168e16739b086e91f3dfc6d8a052966284eea

    SHA256

    c016a6f3b11f1866d4ef2fcae810e29962407370f698558cc3c7a63f2b51a93a

    SHA512

    cbec0a5a471e6feb40603545d772b7b0ad3f6937dfca497f39a394644e26495807005117b6fb68b8d05c5d597e1dc66a59961e7eaaafcff1981779f838983407

    Download Submit

  • memory/2848-13-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2848-14-0x0000000000990000-0x00000000009FA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2848-16-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2848-17-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2848-18-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2848-19-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2848-22-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4968-0-0x0000000000ED0000-0x0000000001164000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4968-20-0x0000000000ED0000-0x0000000001164000-memory.dmp

    Filesize

    2.6MB

    Download