MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1366d835a5675aae88bb713125b1fe9f8ad327172fb648ed0aec7acc7701cdf0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1366d835a5675aae88bb713125b1fe9f8ad327172fb648ed0aec7acc7701cdf0
SHA3-384 hash: 8ee01988e003cfa71fb8dca54902e697237d3b1f3929c1a8be5da7f76d6924439ece75c125829de3cb7093a46240499a
SHA1 hash: ffd48addf9aa0c2e8a8d02bcea68f47b0c95f504
MD5 hash: c0cad88b7c89fc09c05229097e13a939
humanhash: pennsylvania-massachusetts-golf-bulldog
File name:mltqanainst.bin
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:6'744'433 bytes
First seen:2021-03-29 13:34:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 196608:EtdZ/pUKc6qT8VkNGdD28b9qcT2JQwKrogqMWndemFf:+Z/pUKPVkNu5T229kWMemFf
Threatray 51 similar samples on MalwareBazaar
TLSH ED6612B4B48A8071F3564631F55EBEB5A13239C7F7DA2D1623A9AD009BE5F622F0530C
Reporter Arkbird_SOLG
Tags:apt apt-c-44 RevengeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mltqanainst.exe
Verdict:
Malicious activity
Analysis date:
2021-03-29 14:09:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/42e06ac3-c6e7-4e09-9e53-87882609a709

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127594/
Detection(s):
SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Sending a UDP request
Creating a file in the %temp% subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
APT-C-44
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ad8a4ae-7036-4b15-9c42-aceb4b6a7354
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/656947
Signature
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates files in the recycle bin to hide itself
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Powershell drops PE file
Renames powershell.exe to bypass HIPS
Suspicious powershell command line found
Uses dynamic DNS services
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 377406 Sample: mltqanainst.bin Startdate: 29/03/2021 Architecture: WINDOWS Score: 56 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 6 other signatures 2->72 7 powershell.exe 79 2->7         started        12 mltqanainst.exe 18 17 2->12         started        14 powershell.exe 23 2->14         started        process3 dnsIp4 62 voly.ddns.net 105.235.128.86, 88 wataniya-telecom-asDZ Algeria 7->62 52 C:\google\system.exe, PE32+ 7->52 dropped 74 Renames powershell.exe to bypass HIPS 7->74 76 Powershell drops PE file 7->76 16 vbc.exe 6 7->16         started        20 vbc.exe 6 7->20         started        22 vbc.exe 6 7->22         started        26 4 other processes 7->26 54 C:\Program Files (x86)\...\addores.dll, PE32 12->54 dropped 56 C:\Program Files (x86)\...\Uninstall.exe, PE32 12->56 dropped 58 C:\Program Files (x86)\...\Uninstal.exe, PE32 12->58 dropped 60 C:\Program Files (x86)\...\Mltqana.exe, PE32 12->60 dropped 78 Creates autostart registry keys with suspicious values (likely registry only malware) 12->78 80 Creates an autostart registry key pointing to binary in C:\Windows 12->80 24 conhost.exe 14->24         started        file5 signatures6 process7 file8 40 C:\$Recycle.Bin.exe, PE32 16->40 dropped 64 Creates files in the recycle bin to hide itself 16->64 28 cvtres.exe 1 16->28         started        42 C:\Documents and Settings.exe, PE32 20->42 dropped 30 cvtres.exe 1 20->30         started        44 C:\MSOCache.exe, PE32 22->44 dropped 32 cvtres.exe 1 22->32         started        46 C:\Recovery.exe, PE32 26->46 dropped 48 C:\PerfLogs.exe, PE32 26->48 dropped 50 C:\bootTel.dat.exe, PE32 26->50 dropped 34 cvtres.exe 1 26->34         started        36 cvtres.exe 26->36         started        38 cvtres.exe 26->38         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1366d835a5675aae88bb713125b1fe9f8ad327172fb648ed0aec7acc7701cdf0/
Threat name:
Win32.Trojan.Garvi
Create hunting rule
Status:
Malicious
First seen:
2021-02-28 04:36:11 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
01157c3e056d2040250598bc9b4aac8b4ad8b7f2c595381d320290dd79b8317d
RevengeRAT
11d480398f813ab33313a9979e1799e9bf8945668bdc831bf46ba47572d92f9d
RevengeRAT
4565f479379c6d8becb5a570237caccf1756197dee9496e2da13511aae0800c7
RevengeRAT
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
RevengeRAT
78230c5aa1bcb6e0c4f59581e1bbcf157eeb299953ab8931a7017988663f3089
RevengeRAT
7ee9786ce295430044ac02259ca43dd92a036f3146533b308dca24f87e05edd4
RevengeRAT
8673fb0671f6ae27bcc17743f4cff730b374ac61f6542117a5b6b34d44e17809
RevengeRAT
89d15d3703f9b4084dc3dd41693d5337d2a19fa40c3c87e1cb7a0997d021c4e1
RevengeRAT
9d50a832749b89ed5ac52dd84acf0ae6cd16196267401d1ad1cbfc8506f92bba
RevengeRAT
db8d3e1f805b2f6219f99004258e23b3dd379a2dcc76338e3fb368ad23112a3b
RevengeRAT
+ 41 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210329-3rphj7rrdj/
Behaviour
Enumerates physical storage devices
Unpacked files
SH256 hash:
1366d835a5675aae88bb713125b1fe9f8ad327172fb648ed0aec7acc7701cdf0
MD5 hash:
c0cad88b7c89fc09c05229097e13a939
SHA1 hash:
ffd48addf9aa0c2e8a8d02bcea68f47b0c95f504
Link:
https://www.unpac.me/results/19748256-6846-4c55-a37e-8399d2fea0d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Sality
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/1366d835a5675aae88bb713125b1fe9f8ad327172fb648ed0aec7acc7701cdf0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/BaoshengbinCumt/status/1376497716323217409
Cape
Cape
https://www.capesandbox.com/analysis/127594/

Comments