Overview

overview

10

Static

static

5

3db0e385eb...2c.exe

windows7-x64

10

3db0e385eb...2c.exe

windows10-2004-x64

10

Resubmissions

02-01-2025 14:21

250102-rn7alsxpfq 10

02-01-2025 07:44

250102-jk1dwstphj 10

Analysis

  • max time kernel
    157s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-01-2025 14:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe

  • Size

    1.1MB

  • MD5

    56ac9e72644a8dae8c1968d63a26e58a

  • SHA1

    d0349d04f33400541898426438d9e036d21decc5

  • SHA256

    3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c

  • SHA512

    d4f5c176b3e4fda2a318fde3ec3702d9bf102bd752ee42b4549b9fd6630fdcbee20de63fc7a403f60768ac7c0a7d780bc542c8d60f4e2b9eeb19a40aba49ddc1

  • SSDEEP

    24576:mq5TfcdHj4fmbi2q+0MmV0VMXeyrtoT1GokHTQoCwsC+Y:mUTsamOx9RoBVoCwT

Score
10/10
revengeratdiscoverystealertrojanupx

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe
    "C:\Users\Admin\AppData\Local\Temp\3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
      "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -pyiiyygqpuuqycei -1640
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3124
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:900

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
    Filesize

    373KB

    MD5

    1b81fa48134378f2b8d54a41fcfcf0ca

    SHA1

    ff6fd97bcc603890c9bdffebe992a8b95d4f2686

    SHA256

    5e2931d27098e63b67126ec2e036d8e2f4e46814d8c777c0307e3eec3b947707

    SHA512

    b0a9ae05da6e73729cf61ba7e58015630bd69c508fbfaa8cd6d9d116b63def1c67e7298680aa8d6d99f20d77e91dd14d880466ba21a1062498fdf3687518c8cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DMR\pyiiyygqpuuqycei.dat
    Filesize

    163B

    MD5

    8c934b48a05955c6cc934925f4c01e7d

    SHA1

    b6300c8e23a440e85637a6e8f028ff25bee676d6

    SHA256

    51be55dd44a7d2c782ef432971878a64040aec99c5ec0b53ac92d72bb2645992

    SHA512

    199896d1482d91a24d896452b1a81b4c717a2781b0261aa7b32bd5fc38cdf84bf000d9487efa6bd799ae5b9b04019f5dd64bb174f5eec285d76aa9d8f3d1aa69

    Download Submit

  • memory/900-31-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-30-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-29-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-35-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-32-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-33-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-34-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-23-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-25-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/900-24-0x000002D2D6CE0000-0x000002D2D6CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1640-0-0x0000000000230000-0x00000000004A6000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1640-20-0x0000000000230000-0x00000000004A6000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3124-16-0x00007FFE64110000-0x00007FFE64BD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3124-22-0x00007FFE64110000-0x00007FFE64BD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3124-19-0x00007FFE64110000-0x00007FFE64BD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3124-18-0x00007FFE64110000-0x00007FFE64BD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3124-17-0x00007FFE64110000-0x00007FFE64BD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3124-14-0x0000000000BC0000-0x0000000000C22000-memory.dmp

    Filesize

    392KB

    Download

  • memory/3124-13-0x00007FFE64113000-0x00007FFE64115000-memory.dmp

    Filesize

    8KB

    Download