MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d22923780ff5b84899095593e884f7a5eb08f936480ebdabb934d0fc4e3b794. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 5 File information Comments

SHA256 hash:	1d22923780ff5b84899095593e884f7a5eb08f936480ebdabb934d0fc4e3b794
SHA3-384 hash:	867f63232ae8109a997b1c7d8143ee938eaf760c6b2900c0c342efe96e799ed9d59818d5b886f4bc90618dd1bf0df897
SHA1 hash:	05d54e797da4a0186f81d64f77b1deee8e6bf0bc
MD5 hash:	ff7c51e653f11e2f90a74fc53bef4532
humanhash:	edward-green-coffee-jupiter
File name:	1D22923780FF5B84899095593E884F7A5EB08F936480E.exe
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	147'456 bytes
First seen:	2021-10-17 07:10:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep	3072:8P+aIehKZ8f3y9YRT8w9gTxVjtVJjbf+:8P+aIla3d3uTFPjbf+
Threatray	7 similar samples on MalwareBazaar
TLSH	T1D5E35B2DB78BCF13C56C0AB950E6351857B563476B33E70A2DCC14FD6E933820A4A69E
Reporter	abuse_ch
Tags:	exe RevengeRAT

abuse_ch

RevengeRAT C2:
102.101.61.52:2222

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
102.101.61.52:2222	https://threatfox.abuse.ch/ioc/234882/

Intelligence

File Origin

# of uploads :

# of downloads :

1'013

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1D22923780FF5B84899095593E884F7A5EB08F936480E.exe

Verdict:

No threats detected

Analysis date:

2021-10-17 07:18:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/198d96d6-1f28-4a0a-bd2d-a5f3f9966862

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RevengeRAT

Link:

https://www.capesandbox.com/analysis/197934/

Detection(s):

Win.Trojan.Generic-6332612-0

Win.Malware.Razy-6862379-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Enabling the 'hidden' option for recently created files

Creating a window

Creating a file

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file in the %AppData% directory

Creating a process from a recently created file

Creating a file in the mass storage device

Encrypting user's files

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

rat

Link:

https://www.filescan.io/uploads/616bcc89db358dd15ebd897a/reports/98b5fb30-5708-4f9f-bd88-0ca5477d7e65/overview

Malware family:

Torwofun

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c0356c80-76fb-4a99-85e8-5f2f7cb253a5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1d22923780ff5b84899095593e884f7a5eb08f936480ebdabb934d0fc4e3b794/

Threat name:

ByteCode-MSIL.Trojan.RevengrRat

Status:

Malicious

First seen:

2021-09-26 23:46:00 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=durjen4a75nyjcmqsvmt5ccppjplbd4tmsaoxwv3sngq7rhdw6ka._file

Verdict:

malicious

RevengeRAT

0ed07cd100c933c766b2183c8c46f913116bc89b2651e22c3dd5a61c06913b7a

RevengeRAT

8d31cd4a15ce8347ee5d40ec43f3f0f6f1938887613d8dd58962df1cf7bfebca

RevengeRAT

a8b12d8c9b157105d4fff973368fc6e916739ca23aa520548e4fd5955780bf52

RevengeRAT

b943704744a23c06174a36aa0e24ecc7ac67aad9edc9c4bd46dd1f007514796d

RevengeRAT

c656d7d18181d06dc4ffa7a0477f44c5ba4e891c18bb66ba31f8f8ddba22f742

RevengeRAT

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat persistence stealer trojan

Link:

https://tria.ge/reports/211017-hzyceadbhp/

Behaviour

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Drops startup file

Loads dropped DLL

Executes dropped EXE

RevengeRat Executable

RevengeRAT

Unpacked files

SH256 hash:

1d22923780ff5b84899095593e884f7a5eb08f936480ebdabb934d0fc4e3b794

MD5 hash:

ff7c51e653f11e2f90a74fc53bef4532

SHA1 hash:

05d54e797da4a0186f81d64f77b1deee8e6bf0bc

Link:

https://www.unpac.me/results/a6d810c5-a8a4-4405-81c9-d5abca9a8a1c/

Malware family:

RevengeRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/1d22923780ff/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1d22923780ff5b84899095593e884f7a5eb08f936480ebdabb934d0fc4e3b794

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RevengeRAT Create hunting rule
Author:	ditekSHen
Description:	RevengeRAT and variants payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RevengeRAT_Sep17 Create hunting rule
Author:	Florian Roth
Description:	Detects RevengeRAT malware
Reference:	Internal Research

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/197934/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample