MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e2cbdfac9cc07aa40c8dc0c8794f08631877dc2d0fd55762fb5e0aa598ad076. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e2cbdfac9cc07aa40c8dc0c8794f08631877dc2d0fd55762fb5e0aa598ad076
SHA3-384 hash: fca697faa2ae77e99668f1205c0786b98813b03f5621c372d18f82d07c6d0318ec6355d73dd563746f89e429acb4668a
SHA1 hash: 261668aff6c8b06a3549a6986dc095c69df013e1
MD5 hash: 63a87210453b1e81a8edc2a0ea6608ae
humanhash: victor-eleven-april-orange
File name:Part Number Details.pdf.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:410'112 bytes
First seen:2022-02-02 13:47:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 12288:xCpmBQL0mclpA2wt+N/6c7inm8C/Y/mVO7Ju:k2VOV
Threatray 1'232 similar samples on MalwareBazaar
TLSH T125944BA4B162A4CEE40BC870596CFC30017234F7A6CB493A632B3658CF9DE966F4559F
File icon (PE):PE icon
dhash icon 79e4e4ccccc4c4c0 (12 x RedLineStealer, 11 x Formbook, 3 x AgentTesla)
Reporter abuse_ch
Tags:exe RevengeRAT


Avatar
abuse_ch
RevengeRAT C2:
79.134.225.74:6169

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.74:6169 https://threatfox.abuse.ch/ioc/376270/

Intelligence

File Origin
# of uploads :
1
# of downloads :
581
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/230125/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/61fa8b9818d1bfdde4eb538a/reports/d2477383-80c4-4d1d-8e62-dc2d3608997c/overview
Malware family:
RevetRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc7d70fa-9501-4652-be57-453c41535d41
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/932401
Signature
Adds a directory exclusion to Windows Defender
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Double Extension
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 564879 Sample: Part Number Details.pdf.exe Startdate: 02/02/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Detected unpacking (changes PE section rights) 2->47 49 17 other signatures 2->49 7 Part Number Details.pdf.exe 7 2->7         started        process3 file4 31 C:\Users\user\AppData\...\WXNGVZhFshhea.exe, PE32 7->31 dropped 33 C:\...\WXNGVZhFshhea.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmpF5AB.tmp, XML 7->35 dropped 37 C:\Users\...\Part Number Details.pdf.exe.log, ASCII 7->37 dropped 53 Adds a directory exclusion to Windows Defender 7->53 55 Injects a PE file into a foreign processes 7->55 11 Part Number Details.pdf.exe 7->11         started        16 powershell.exe 24 7->16         started        18 powershell.exe 25 7->18         started        20 schtasks.exe 7->20         started        signatures5 process6 dnsIp7 41 mikekentroland48.ddns.net 79.134.225.74, 49768, 49797, 6169 FINK-TELECOM-SERVICESCH Switzerland 11->41 39 C:\Users\user\AppData\Local\...\BqIqbexi.vbs, ASCII 11->39 dropped 57 Tries to harvest and steal ftp login credentials 11->57 59 Tries to harvest and steal browser information (history, passwords, etc) 11->59 22 wscript.exe 11->22         started        25 conhost.exe 16->25         started        27 conhost.exe 18->27         started        29 conhost.exe 20->29         started        file8 signatures9 process10 signatures11 51 Deletes itself after installation 22->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e2cbdfac9cc07aa40c8dc0c8794f08631877dc2d0fd55762fb5e0aa598ad076/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 13:48:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fywl36wjzqd2uqgi3qgipfhqqyyyo7oc2d6vk5rpwxqkuwmk2b3a._file
Verdict:
malicious
Similar samples:
0ca36d4179faaa7e2d12811b06e5db165d51ae4212fff38f877d77c7f688e48f
RevengeRAT
13ce54d053256ed33282cc8e8a47f9a3c83f9b96f4230df70a7b947c55c611f5
RevengeRAT
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e
RevengeRAT
19a6c46042956694ad614c1abc227164a2e300f25ccba8eb8d53ae782d252464
RevengeRAT
3cd5be20fc52a85f70dae0f6ecb7a63e343a8eb1625ea53be792b497e5452251
RevengeRAT
5a2f0942b0175d142da5dcc433aa22e734f6bb80d7d351afdb0420104a843c3a
RevengeRAT
64c569a63e0262d98d31e5667735e104ffa325b7175d1d8f68fdffc3586a5575
RevengeRAT
cef6abc3a0e98b5658b2a08a663478387cddb0d7450ccc0e5a0d5ac1de01255c
RevengeRAT
e5985eb7622c1bcb77fb310377a753cc9d6d9aff9c71f6dd60658889d03c332b
RevengeRAT
fc74933986ac3619850c028d84642f70effa6775eaf2bdce09a2cf1c0feb2c33
RevengeRAT
+ 1'222 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat botnet:nyancatrevenge evasion trojan
Link:
https://tria.ge/reports/220202-q3kvgsabdl/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
RevengeRAT
Malware Config
C2 Extraction:
mikekentroland48.ddns.net:6169
Unpacked files
SH256 hash:
79596cb32baaabea5a4d70196be0cf2e7672b899704ab78ac2005018c2d560c8
MD5 hash:
f3b785ec3bf41072abc62924ea3d74bc
SHA1 hash:
b08ec39af6e2064c40550557862896f418191024
Detections:
win_revenge_rat_g2
Create hunting rule
Link:
https://www.unpac.me/results/a9a95b37-f496-4919-8d67-4e305170247a/
SH256 hash:
0f876faefc4da5982edd9d45938b928616f9860b0ffa6bae2387c110be80c12b
MD5 hash:
4f392f58a34c922f8e98915262561c0f
SHA1 hash:
9d2a5f8545fba28cb87f7137bb4de3b12a7a2521
Link:
https://www.unpac.me/results/a9a95b37-f496-4919-8d67-4e305170247a/
SH256 hash:
6f1b89bc3013177c101fe4448340c48c0dd08d19017a798bd11c2d0f76be1fbc
MD5 hash:
60a604887b3616e3ed86d81fab0a9ebb
SHA1 hash:
8db84f5f4c569c86c69aff464b2ffc4ce3dafa20
Link:
https://www.unpac.me/results/a9a95b37-f496-4919-8d67-4e305170247a/
SH256 hash:
2e2cbdfac9cc07aa40c8dc0c8794f08631877dc2d0fd55762fb5e0aa598ad076
MD5 hash:
63a87210453b1e81a8edc2a0ea6608ae
SHA1 hash:
261668aff6c8b06a3549a6986dc095c69df013e1
Link:
https://www.unpac.me/results/a9a95b37-f496-4919-8d67-4e305170247a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e2cbdfac9cc07aa40c8dc0c8794f08631877dc2d0fd55762fb5e0aa598ad076

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/230125/

Comments