MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15
SHA3-384 hash:	c9c25fc81abb4dfb8f03b2a80c963f24e857bba241c0cd21d68a510d35de02396fe0d3fc8068667f50a8edecf36673c5
SHA1 hash:	6450139c6698b3cfb67cf9f06a0b3190c44442af
MD5 hash:	0b660bffa6e0093bf7054a8d80071585
humanhash:	echo-ack-ceiling-chicken
File name:	file
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	17'920 bytes
First seen:	2020-02-27 16:48:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	384:pxkgrwjFTcBr6YbalEM7s/oObysVKQsyKXfWc:pxkgrwFwvalEoGChXu
Threatray	50 similar samples on MalwareBazaar
TLSH	4E8208DAB7B89A06C2BC67FD417224215F75878F9501C75E1DD484EBB3A33D0AA40BE2
Reporter	johannes
Tags:	RevengeRAT

viql

revengerat via https://pastebin.com/raw/y1ED2f5E

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.RevengeRat-6344273-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Revengerat

Status:

Malicious

First seen:

2020-02-19 01:12:00 UTC

AV detection:

30 of 31 (96.77%)

Threat level:

2/5

Verdict:

malicious

RevengeRAT

0f0ad0df89b895ae4e7ad72b7d6bbea015fe566fe98b577553cb95cd3fb96766

RevengeRAT

291bf31470c9bcacec467c980adb7a3d111ebb6b72cf07147884a7eae5cabde9

RevengeRAT

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae

RevengeRAT

61772167a95f7d7eb84337c06144cbba21b88b0ace8ef24d59426c7a50e6acc6

RevengeRAT

6ebe2626d66a590a572cca546c2b1c472f5e1b7db26f89cc8f6f073125fe82c5

RevengeRAT

8efd6f95c39e86627b1f9cc553fa7bed152dbf4788662bee15d3b5bdf0c1b79e

RevengeRAT

b92fe7309b229fc2894d3b10b0a9cd148fb1b4214bffb3b0bd16ef219f21f632

RevengeRAT

c7bf30d34e0e14112c582d3b55aafabdfb00f563be001f3e1ab4e5d04b5c0271

RevengeRAT

d9a9a7ab99db0946ecb0f5f398eddd0d820ffbde0105164064e168f1ea73ba26

RevengeRAT

+ 40 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-th3b611dys/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops startup file

Uses the VBS compiler for execution

Malware Config

C2 Extraction:

memo445.ddns.net:1337

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample