Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

c8966486c4...fe.exe

windows7-x64

10

c8966486c4...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 18:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8966486c4522c329ba589322ef2a226318355e830eee7b24842541a3579dffe.exe

  • Size

    1.1MB

  • MD5

    7b0378fe4db099122679b28aa52a20b2

  • SHA1

    7912e9de9092417bbdc283a3a76f2d577a81aba4

  • SHA256

    c8966486c4522c329ba589322ef2a226318355e830eee7b24842541a3579dffe

  • SHA512

    ffd1bd929fedf7485333ee99665de80591fb3ef31e1ff303b8522fe849b2c027027a5f54df28d58b40d337cab3fbd7423618f0435af8c964de3f4fa9dfa5eebf

  • SSDEEP

    24576:Sq5TfcdHj4fmbi2qs0MmV0VMXeyrtoT1GokHTQoCwsC+c:SUTsamOxzRoBVoCwH

Score
10/10
revengeratdiscoverystealertrojanupx

Malware Config

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8966486c4522c329ba589322ef2a226318355e830eee7b24842541a3579dffe.exe
    "C:\Users\Admin\AppData\Local\Temp\c8966486c4522c329ba589322ef2a226318355e830eee7b24842541a3579dffe.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
      "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54504926 -chipde -076eb568145b444db33b7184e9a63552 - -BLUB2 -crmwmcxonlsdvbvv -2404
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1616

Network

  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.chip-secured-download.de
    dmr_72.exe
    Remote address:
    8.8.8.8:53
    Request
    api.chip-secured-download.de
    IN A
    Response
    api.chip-secured-download.de
    IN A
    116.203.169.158
  • flag-de
    GET
    http://api.chip-secured-download.de/geoip/geoip.php?ip=37382e33342e3132372e3933
    dmr_72.exe
    Remote address:
    116.203.169.158:80
    Request
    GET /geoip/geoip.php?ip=37382e33342e3132372e3933 HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0; DSde) Gecko/20100101 Firefox/23.0
    Host: api.chip-secured-download.de
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.10.3
    Date: Fri, 24 Jan 2025 18:58:16 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.1.21
    Cache-Control: private, must-revalidate
    pragma: no-cache
    expires: -1
  • flag-de
    GET
    http://api.chip-secured-download.de/dotnet/com
    dmr_72.exe
    Remote address:
    116.203.169.158:80
    Request
    GET /dotnet/com HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0; DSde) Gecko/20100101 Firefox/23.0
    Host: api.chip-secured-download.de
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.10.3
    Date: Fri, 24 Jan 2025 18:58:17 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    X-Powered-By: PHP/7.1.21
    Cache-Control: private, must-revalidate
    pragma: no-cache
    expires: -1
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    ocs2.chdi-server.de
    dmr_72.exe
    Remote address:
    8.8.8.8:53
    Request
    ocs2.chdi-server.de
    IN A
    Response
    ocs2.chdi-server.de
    IN A
    116.203.169.153
  • flag-us
    DNS
    158.169.203.116.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    158.169.203.116.in-addr.arpa
    IN PTR
    Response
    158.169.203.116.in-addr.arpa
    IN PTR
    docker1 chdi-serverde
  • flag-us
    DNS
    153.169.203.116.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    153.169.203.116.in-addr.arpa
    IN PTR
    Response
    153.169.203.116.in-addr.arpa
    IN PTR
    ocs2 chdi-serverde
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    202.86.200.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.86.200.23.in-addr.arpa
    IN PTR
    Response
    202.86.200.23.in-addr.arpa
    IN PTR
    a23-200-86-202deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 116.203.169.158:80
    http://api.chip-secured-download.de/dotnet/com
    http
    dmr_72.exe
    881 B
     794 B
     8
    5

    HTTP Request

    GET http://api.chip-secured-download.de/geoip/geoip.php?ip=37382e33342e3132372e3933

    HTTP Response

    200

    HTTP Request

    GET http://api.chip-secured-download.de/dotnet/com

    HTTP Response

    200
  • 116.203.169.153:443
    ocs2.chdi-server.de
    https
    dmr_72.exe
    474 B
     273 B
     5
    4
  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    api.chip-secured-download.de
    dns
    dmr_72.exe
    74 B
     90 B
     1
    1

    DNS Request

    api.chip-secured-download.de

    DNS Response

    116.203.169.158

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    73.159.190.20.in-addr.arpa

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    146 B
     139 B
     2
    1

    DNS Request

    167.173.78.104.in-addr.arpa

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    ocs2.chdi-server.de
    dns
    dmr_72.exe
    65 B
     81 B
     1
    1

    DNS Request

    ocs2.chdi-server.de

    DNS Response

    116.203.169.153

  • 8.8.8.8:53
    158.169.203.116.in-addr.arpa
    dns
    74 B
     110 B
     1
    1

    DNS Request

    158.169.203.116.in-addr.arpa

  • 8.8.8.8:53
    153.169.203.116.in-addr.arpa
    dns
    74 B
     107 B
     1
    1

    DNS Request

    153.169.203.116.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    202.86.200.23.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    202.86.200.23.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DMR\crmwmcxonlsdvbvv.dat
    Filesize

    149B

    MD5

    12a8a852ae45311d9517d34384e4f687

    SHA1

    fda9eac96a130bf25e387715e8f12a92e051252d

    SHA256

    733888663da7d88e642e3da58affad6a33902eb07e9b50489e428fbb16a82ebc

    SHA512

    ed6eba1e6e2af4c5327b89c319ee3e4714e9e5ce014deb1a401268e9818e57fb0515546dfa616c99c8ca9ab8431d39441518e458562850b9d3c6762ecfb3305c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
    Filesize

    373KB

    MD5

    1b81fa48134378f2b8d54a41fcfcf0ca

    SHA1

    ff6fd97bcc603890c9bdffebe992a8b95d4f2686

    SHA256

    5e2931d27098e63b67126ec2e036d8e2f4e46814d8c777c0307e3eec3b947707

    SHA512

    b0a9ae05da6e73729cf61ba7e58015630bd69c508fbfaa8cd6d9d116b63def1c67e7298680aa8d6d99f20d77e91dd14d880466ba21a1062498fdf3687518c8cf

    Download Submit

  • memory/1616-13-0x00007FFDFA733000-0x00007FFDFA735000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1616-14-0x0000000000950000-0x00000000009B2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1616-16-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1616-17-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1616-18-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1616-19-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1616-22-0x00007FFDFA730000-0x00007FFDFB1F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2404-0-0x0000000000520000-0x0000000000796000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2404-20-0x0000000000520000-0x0000000000796000-memory.dmp

    Filesize

    2.5MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.