General
-
Target
https://www.bing.com/ck/a?!&&p=56685b0a4ec34a1e7628834ecd5a77f7a5eed3b9b55cc96162378323f04c38b8JmltdHM9MTc0MTMwNTYwMA&ptn=3&ver=2&hsh=4&fclid=29237bb9-0334-6dad-0f6b-6e84029f6c93&psq=malware+download&u=a1aHR0cHM6Ly9naXRodWIuY29tL0RhMmRhbHVzL1RoZS1NQUxXQVJFLVJlcG8&ntb=1
-
Sample
250307-lad41sxxhy
Malware Config
Extracted
revengerat
Guest
0.tcp.ngrok.io:19521
RV_MUTEX
Targets
-
-
Target
https://www.bing.com/ck/a?!&&p=56685b0a4ec34a1e7628834ecd5a77f7a5eed3b9b55cc96162378323f04c38b8JmltdHM9MTc0MTMwNTYwMA&ptn=3&ver=2&hsh=4&fclid=29237bb9-0334-6dad-0f6b-6e84029f6c93&psq=malware+download&u=a1aHR0cHM6Ly9naXRodWIuY29tL0RhMmRhbHVzL1RoZS1NQUxXQVJFLVJlcG8&ntb=1
Score10/10-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Modifies file permissions
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1