MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 336a4b6f945e79e683e1d1d0cf1edaa2f41ab0a5dcc96ed1bd56557d8eda4cc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 4 File information Comments

SHA256 hash:	336a4b6f945e79e683e1d1d0cf1edaa2f41ab0a5dcc96ed1bd56557d8eda4cc6
SHA3-384 hash:	a395e2c0590021802d732e59de22927bbae32055e23eb3edea4cc92724af0b31300ad424b7fb096408d2c9ec9ae6d1c4
SHA1 hash:	f4d1c1c3e8ac828ffd3675a7590590d856473c87
MD5 hash:	8a482533fe2e91bf1542fd9568774473
humanhash:	cola-skylark-fruit-butter
File name:	336A4B6F945E79E683E1D1D0CF1EDAA2F41AB0A5DCC96.exe
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	2'206'720 bytes
First seen:	2022-07-31 07:40:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'016 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	49152:vsEfsrnCdjhzrBihV+xt4EVXJEAc/w31JQGQRgRMF2:vsHLCdPwsxtlTjRliGmQMF2
Threatray	4'381 similar samples on MalwareBazaar
TLSH	T119A53353BA474733C86C687021F71C2453F29347BB37DAC5284AA75C7CAB79089A5B8A
TrID	52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.5% (.EXE) Win64 Executable (generic) (10523/12/4) 4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	4ab0d2d8c6c7e113 (1 x RevengeRAT)
Reporter	abuse_ch
Tags:	exe RevengeRAT

abuse_ch

RevengeRAT C2:
192.169.69.25:1912

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
192.169.69.25:1912	https://threatfox.abuse.ch/ioc/840562/

Intelligence

File Origin

# of uploads :

# of downloads :

544

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RevengeRAT

Link:

https://www.capesandbox.com/analysis/295328/

Detection(s):

Win.Dropper.LimeRAT-9776087-0

Win.Trojan.RevengeRAT-6690354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Enabling the 'hidden' option for analyzed file

Creating a window

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Query of malicious DNS domain

Sending a TCP request to an infection source

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed

Link:

https://www.filescan.io/uploads/62e6324dbcf76fcb6cd3b106/reports/d0d7e7b0-bfe7-4b27-89e9-4ecf4e8233fe/overview

Malware family:

Torwofun

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/42485f91-b353-4d99-bbcf-cd850206f29a

Result

Threat name:

RevengeRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1043729

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Drops PE files with benign system names

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Uses dynamic DNS services

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/336a4b6f945e79e683e1d1d0cf1edaa2f41ab0a5dcc96ed1bd56557d8eda4cc6/

Threat name:

ByteCode-MSIL.Trojan.RevengeRAT

Status:

Malicious

First seen:

2017-06-17 15:47:03 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=gnvew34ulz46na7b2him6hw2ul2bvmff3tew5un5kzkx3dw2jtda._file

Verdict:

malicious

RevengeRAT

0b4ccd794d4c74c73f78eecf5bd9057fb7ab1d558aab5937b6cf7aa52d53373f

RevengeRAT

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b

RevengeRAT

5f5dd9783ee79a7097f47c023015c07c76d5b9e5562362fa54cc28b2f7d1744a

RevengeRAT

7af6be720f63c86de10443745e332a5717aa9b14fa3e8ecca584ef370f2080da

RevengeRAT

b195c22e15188d7a28301bddfea3a6790ff522911f0eb1069292db17bcb62fa7

RevengeRAT

cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f

RevengeRAT

e44ea6095036b15910c82941c0c3af5178687d3deeb9954adf9967cd833b9349

RevengeRAT

fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf

RevengeRAT

+ 4'371 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat persistence stealer trojan

Link:

https://tria.ge/reports/220731-jh4crsfhbl/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Drops startup file

Loads dropped DLL

Uses the VBS compiler for execution

Drops file in Drivers directory

Executes dropped EXE

RevengeRat Executable

RevengeRAT

Unpacked files

SH256 hash:

336a4b6f945e79e683e1d1d0cf1edaa2f41ab0a5dcc96ed1bd56557d8eda4cc6

MD5 hash:

8a482533fe2e91bf1542fd9568774473

SHA1 hash:

f4d1c1c3e8ac828ffd3675a7590590d856473c87

Link:

https://www.unpac.me/results/43f1e7a4-a69e-48ad-b650-c3a5cff76ffc/

Malware family:

RevengeRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/336a4b6f945e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/336a4b6f945e79e683e1d1d0cf1edaa2f41ab0a5dcc96ed1bd56557d8eda4cc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RevengeRAT Create hunting rule
Author:	ditekSHen
Description:	RevengeRAT and variants payload

Rule name:	NETDIC208_NOCEX_NOREACTOR Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/295328/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample