MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0d14d496bfc02d35be0b219adc5eddf49fe129e3249beaf7fa5cc71b712e9c63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0d14d496bfc02d35be0b219adc5eddf49fe129e3249beaf7fa5cc71b712e9c63
SHA3-384 hash: cf886f690587a5f049a498c9b5b779cfcdeaeb9de88f3c589ea9333fb0edf68f30cc634ec1b038383a1ee17feb06838d
SHA1 hash: b35e89b7cfa0ef75f7d92394054e8c887915a5dd
MD5 hash: 76cb3c523a6731d3a348b89f90989d38
humanhash: eighteen-orange-black-ten
File name:76CB3C523A6731D3A348B89F90989D38.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:2'953'728 bytes
First seen:2021-03-28 21:25:31 UTC
Last seen:2021-03-28 21:49:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 1536:njvggstYRk6+53et5tCHm8rNnY5Xn9cE8m4huvkzIZC2vf+RJvkIDUs//8eyHlYB:Tojm+
Threatray 218 similar samples on MalwareBazaar
TLSH 8ED5C6293DF7D06AE3DA4B8D20844BE9660B7FF6283CB4E627400075670B52595E6FBC
Reporter abuse_ch
Tags:exe RevengeRAT


Avatar
abuse_ch
RevengeRAT C2:
5.39.19.8:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.39.19.8:2404 https://threatfox.abuse.ch/ioc/5646/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
76CB3C523A6731D3A348B89F90989D38.exe
Verdict:
Malicious activity
Analysis date:
2021-03-28 21:28:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fbb4b623-cfeb-4053-bd86-2f8c8e04bc0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RevengeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127395/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.144.4409.25393.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Creating a window
Sending a UDP request
Running batch commands
Unauthorized injection to a recently created process
Setting a single autorun event
Blocking the User Account Control
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f78ad00f-fe59-4c3b-9ac2-ed70e71d8b6c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/656263
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to delay execution (extensive OutputDebugStringW loop)
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 377064 Sample: 1SB752a6RQ.exe Startdate: 28/03/2021 Architecture: WINDOWS Score: 100 55 hpdndbnb.duckdns.org 2->55 63 Multi AV Scanner detection for dropped file 2->63 65 Sigma detected: Powershell adding suspicious path to exclusion list 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 3 other signatures 2->69 8 1SB752a6RQ.exe 9 16 2->8         started        12 svchost.exe 2->12         started        14 svchost.exe 9 1 2->14         started        17 7 other processes 2->17 signatures3 process4 dnsIp5 45 C:\Users\...\MWTjQYdPapkdCxQvhEwXmaNAP.exe, PE32 8->45 dropped 47 C:\Program Files\Common Files\...\svchost.exe, PE32 8->47 dropped 49 MWTjQYdPapkdCxQvhE...exe:Zone.Identifier, ASCII 8->49 dropped 51 3 other files (2 malicious) 8->51 dropped 71 Drops PE files to the startup folder 8->71 73 Adds a directory exclusion to Windows Defender 8->73 75 Tries to delay execution (extensive OutputDebugStringW loop) 8->75 79 3 other signatures 8->79 19 1SB752a6RQ.exe 8->19         started        22 AdvancedRun.exe 1 8->22         started        24 cmd.exe 8->24         started        28 10 other processes 8->28 77 Changes security center settings (notifications, updates, antivirus, firewall) 12->77 61 127.0.0.1 unknown unknown 14->61 26 WerFault.exe 17->26         started        file6 signatures7 process8 dnsIp9 57 hpdndbnb.duckdns.org 5.39.19.8, 2404 OVHFR France 19->57 59 192.168.2.1 unknown unknown 22->59 31 AdvancedRun.exe 22->31         started        33 conhost.exe 24->33         started        35 timeout.exe 24->35         started        53 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 28->53 dropped 37 conhost.exe 28->37         started        39 conhost.exe 28->39         started        41 conhost.exe 28->41         started        43 5 other processes 28->43 file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0d14d496bfc02d35be0b219adc5eddf49fe129e3249beaf7fa5cc71b712e9c63/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-24 17:19:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
24 of 48 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=buknjfv7yawtlpqlegnnyxw56sp6ckpdesn6v572ltdrw4jotrrq._file
Verdict:
malicious
Similar samples:
2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
RevengeRAT
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
RevengeRAT
4d0c7314a1dae4a0bcc378f5ea1a779db24f54be030c578fb93033322f814be2
RevengeRAT
5abccf199b1e503db7c810a9dcbe1310b6a6b78441b091dae6f45c92d3c3add1
RevengeRAT
812a71bf7c8bec5ba792953f300d7c16f4748351b2058dfca5d38cbb1680e40b
RevengeRAT
869147dc42f117713c1b9070d615deda8ff7d7baf8c5baea4ccee3c21829fa96
RevengeRAT
8cc2bfa5a2a451905fa3ac3e499cada8efc674eb7b8f8878458f5277970bd2e6
RevengeRAT
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
RevengeRAT
a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
RevengeRAT
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
RevengeRAT
+ 208 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat botnet:nyancatrevenge evasion persistence trojan
Link:
https://tria.ge/reports/210328-2nbjm19x56/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
RevengeRAT
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
hpdndbnb.duckdns.org:2404
Unpacked files
SH256 hash:
9ccc859109e2529a3d57f77823d9bd3f850e4916bc2b4077ffbb6be06fe087c6
MD5 hash:
45e405ae9f232ef30d0dbe24f2f6490d
SHA1 hash:
f26c2fc1810e9caa1c4cf6ee7889e86876547de0
Link:
https://www.unpac.me/results/984dacd0-28c6-437e-9f88-b808770257a7/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/984dacd0-28c6-437e-9f88-b808770257a7/
SH256 hash:
0d14d496bfc02d35be0b219adc5eddf49fe129e3249beaf7fa5cc71b712e9c63
MD5 hash:
76cb3c523a6731d3a348b89f90989d38
SHA1 hash:
b35e89b7cfa0ef75f7d92394054e8c887915a5dd
Link:
https://www.unpac.me/results/984dacd0-28c6-437e-9f88-b808770257a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/0d14d496bfc02d35be0b219adc5eddf49fe129e3249beaf7fa5cc71b712e9c63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_RevengeRAT
Create hunting rule
Author:ditekSHen
Description:RevengeRAT and variants payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127395/

Comments