MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 041130786cac4dbd0a0444fd33829f9186b7ff402831358689d5f364a84379a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 041130786cac4dbd0a0444fd33829f9186b7ff402831358689d5f364a84379a5
SHA3-384 hash: b369e4d3903540a936ec05e7d7adb44dc4f71fa9d72c840096d5fa616cb790b63158f688d257c963b3dfe1780ff70952
SHA1 hash: 2817dcee7a9f18581d22a56380a92615b55bdb73
MD5 hash: 3280d50907796ea6caa8fe167cf576a7
humanhash: july-arizona-ceiling-yankee
File name:041130786cac4dbd0a0444fd33829f9186b7ff402831358689d5f364a84379a5
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:61'952 bytes
First seen:2021-02-28 07:17:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:HDLgSRgzCYMNmZqMAc+TAtetJ+MncZ5V3t6f9SukJwkN2uw2hdWOEvuk2TMzYcHh:LRgGsUMAc+sM/9Y3a9SPNxphN+
Threatray 62 similar samples on MalwareBazaar
TLSH AE53DA03B7879276D96C25B650E7312013F2978B1733E65A3DCC429E5F233926E4ABC6
Reporter JAMESWT_WT
Tags:RevengeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
test.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 19:40:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e9bc4156-899b-4303-b6cf-5b85ee5ceede

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RevengeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119859/
Detection(s):
Win.Trojan.Generic-6332612-0
Create hunting rule

Win.Trojan.RevengeRAT-6690354-0
Create hunting rule

Win.Dropper.LimeRAT-9776087-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Launching a process
Enabling the 'hidden' option for analyzed file
Connection attempt
Creating a file
DNS request
Creating a file in the Windows subdirectories
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621019
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359502 Sample: dSlIdrHJ2i Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus detection for dropped file 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 9 other signatures 2->82 9 dSlIdrHJ2i.exe 3 2->9         started        12 wscript.exe 2->12         started        14 dSlIdrHJ2i.exe 2 2->14         started        16 4 other processes 2->16 process3 signatures4 98 Writes to foreign memory regions 9->98 100 Allocates memory in foreign processes 9->100 102 Injects a PE file into a foreign processes 9->102 18 aspnet_compiler.exe 2 12 9->18         started        23 dSlIdrHJ2i.exe 12->23         started        25 aspnet_compiler.exe 2 14->25         started        27 aspnet_compiler.exe 16->27         started        29 aspnet_compiler.exe 2 16->29         started        31 aspnet_compiler.exe 16->31         started        process5 dnsIp6 72 ccjjgg-56389.portmap.io 18->72 74 127.0.0.1 unknown unknown 18->74 64 C:\Windows\SysWOW64\Subdir, PE32 18->64 dropped 66 C:\Users\user\AppData\...\desktop-.exe, PE32 18->66 dropped 68 C:\Windows\SysWOW64\Subdir:Zone.Identifier, ASCII 18->68 dropped 70 3 other malicious files 18->70 dropped 84 Drops script or batch files to the startup folder 18->84 86 Drops VBS files to the startup folder 18->86 88 Drops PE files to the startup folder 18->88 33 aspnet_compiler.exe 4 18->33         started        35 schtasks.exe 1 18->35         started        90 Writes to foreign memory regions 23->90 92 Allocates memory in foreign processes 23->92 94 Injects a PE file into a foreign processes 23->94 37 aspnet_compiler.exe 23->37         started        40 aspnet_compiler.exe 25->40         started        42 aspnet_compiler.exe 27->42         started        44 aspnet_compiler.exe 3 29->44         started        46 aspnet_compiler.exe 31->46         started        file7 signatures8 process9 signatures10 48 conhost.exe 33->48         started        50 conhost.exe 35->50         started        96 Injects a PE file into a foreign processes 37->96 52 aspnet_compiler.exe 37->52         started        54 conhost.exe 40->54         started        56 conhost.exe 42->56         started        58 conhost.exe 44->58         started        60 conhost.exe 46->60         started        process11 process12 62 conhost.exe 52->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/041130786cac4dbd0a0444fd33829f9186b7ff402831358689d5f364a84379a5/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 23:29:09 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqita6dmvrg32cqeit6thau7sgdlp72afaytlbuj2xzwjkcdpgsq._file
Verdict:
malicious
Similar samples:
460cca0f6a1acc665e76da5539844db4fd042761cbe9641a2b9fb663a322a3ab
RevengeRAT
7af6be720f63c86de10443745e332a5717aa9b14fa3e8ecca584ef370f2080da
RevengeRAT
7cf96df65a9ae5e9c54e3716b802260854b93d0cdf5686d49630204c3576bb78
RevengeRAT
cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f
RevengeRAT
e0287568096f94034a8746adef8f4c08db4ef5f51134f90740b1c72eb1b1eb0b
RevengeRAT
e44ea6095036b15910c82941c0c3af5178687d3deeb9954adf9967cd833b9349
RevengeRAT
e72478765908b84f150ef0b7e895cfca0780a9107de6cf819ec5715f6f179acd
RevengeRAT
ed5c6f06e459285fa5e621026be965558add0841e7426ecee6d3e41d5e9b9761
RevengeRAT
edcf2ab0937689a7e0475395a8654f874e413649ee63100e61c4d1a8c09ba681
RevengeRAT
fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf
RevengeRAT
+ 52 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat stealer trojan
Link:
https://tria.ge/reports/210228-pbdp86h7da/
Behaviour
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
RevengeRat Executable
RevengeRAT
Unpacked files
SH256 hash:
041130786cac4dbd0a0444fd33829f9186b7ff402831358689d5f364a84379a5
MD5 hash:
3280d50907796ea6caa8fe167cf576a7
SHA1 hash:
2817dcee7a9f18581d22a56380a92615b55bdb73
Link:
https://www.unpac.me/results/9142b6c5-6425-491e-8a7e-d0784eb3ecf9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
RevengeRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/041130786cac4dbd0a0444fd33829f9186b7ff402831358689d5f364a84379a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RevengeRAT_Sep17
Create hunting rule
Author:Florian Roth
Description:Detects RevengeRAT malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119859/

Comments