MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81
SHA3-384 hash: 1c838372a2cc8bc4c255c5016d49a7cfa240f4d0a8818ecc2bed5092b49e2449e6927f1bb0bc4d3e9e95867687688539
SHA1 hash: e71be2b641a6a42ab3f0cbcb67867ff515839317
MD5 hash: 892492c879d410e9e659be6c83674de1
humanhash: missouri-missouri-mobile-fillet
File name:892492c879d410e9e659be6c83674de1
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:473'088 bytes
First seen:2021-07-08 08:43:45 UTC
Last seen:2021-07-08 10:53:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:ka6JyTtbdt4CW7HEOGL+a7euP9a3B4Zwd8raWpoMyVkB24QZ+3aEwy:8Jy//W7HEOr2VP05u2WpoM324ewwy
Threatray 331 similar samples on MalwareBazaar
TLSH T113A41255B9A1D4A1C0C74AB39AA7D45047EB3DD5AA03D10B78CD328F0F33B57DB18AA2
Reporter zbetcheckin
Tags:32 exe RevengeRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
960
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
892492c879d410e9e659be6c83674de1
Verdict:
Malicious activity
Analysis date:
2021-07-08 08:54:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3ef0d9d8-7b7c-4ba1-aece-944fc15c89fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170380/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37201436.31671.15956.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2b30810-2620-4f5c-8c86-f0cfc379e2b6
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/813337
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445748 Sample: P1lZGKbECF Startdate: 08/07/2021 Architecture: WINDOWS Score: 96 49 cryptogenerator.club 2->49 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected RevengeRAT 2->57 59 .NET source code contains method to dynamically call methods (often used by packers) 2->59 61 5 other signatures 2->61 9 P1lZGKbECF.exe 4 11 2->9         started        13 Chrome.exe 2->13         started        15 Chrome.exe 2->15         started        signatures3 process4 file5 37 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\...\P1lZGKbECF.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 9->41 dropped 43 4 other malicious files 9->43 dropped 63 Writes to foreign memory regions 9->63 65 Injects a PE file into a foreign processes 9->65 17 P1lZGKbECF.exe 2 9->17         started        21 wscript.exe 1 9->21         started        23 AdvancedRun.exe 1 9->23         started        25 2 other processes 9->25 67 Machine Learning detection for dropped file 13->67 signatures6 process7 dnsIp8 45 cryptogenerator.club 2.56.59.59, 1337, 49735, 49736 GBTCLOUDUS Netherlands 17->45 51 Machine Learning detection for dropped file 17->51 53 Wscript starts Powershell (via cmd or directly) 21->53 27 powershell.exe 21->27         started        47 192.168.2.1 unknown unknown 23->47 29 AdvancedRun.exe 23->29         started        31 AdvancedRun.exe 25->31         started        33 conhost.exe 25->33         started        signatures9 process10 process11 35 conhost.exe 27->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81/
Threat name:
ByteCode-MSIL.Backdoor.Rrat
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 03:08:24 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ibs66yki3axjwih3r6zbw6ljmnx5yaqyewpqngw77k6twkeczsaq._file
Verdict:
malicious
Similar samples:
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
RevengeRAT
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
RevengeRAT
63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6
RevengeRAT
8408707aaa2dc1118bda9431f110e265d716b5cb5bc0ca8a9655828cad8b7b0e
RevengeRAT
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
RevengeRAT
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
RevengeRAT
a576dd4d6b216109bf7044bc90ebd70a2205bffb43272b28f8f112b480eecea5
RevengeRAT
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
RevengeRAT
d89c68b81a492812f334c6485f8867419efb302da480f13d56ce1e9801c20096
RevengeRAT
f0aec42c4adf98c914904d1fd3db75d1db56591088f12e27849cbc427aaf6c7d
RevengeRAT
+ 321 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Link:
https://tria.ge/reports/210708-davm4xv61e/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Nirsoft
Unpacked files
SH256 hash:
50e784373c065f0edc1ff8e56424957093b11e1a2f44daba16710a5096e86631
MD5 hash:
8eacaf1f21b8a7adadfeeb06c7c64ab8
SHA1 hash:
0e1ed3a4d38c3146b8e1cb7dacf3fdbc8a35067b
Link:
https://www.unpac.me/results/98412c81-7b44-4f3b-a5b0-b69f3abd6880/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/98412c81-7b44-4f3b-a5b0-b69f3abd6880/
SH256 hash:
d4799b94e48f378220b0cae38d68979734498263f145a205f90409dc2e328aad
MD5 hash:
fa390754a3a6a9f5c816bdbbd31cb27c
SHA1 hash:
a9063e7f6b41b0bcff908d68004558852cd85cc1
Link:
https://www.unpac.me/results/98412c81-7b44-4f3b-a5b0-b69f3abd6880/
SH256 hash:
155f2b265c3ef652476d89e2594c2930382c5457237c2453b5923cc525ea09c7
MD5 hash:
ef8bb96748fc0b0461c437fdf335834a
SHA1 hash:
8f533cafdb8bfa699e5d74f84450b10431cf40cc
Link:
https://www.unpac.me/results/98412c81-7b44-4f3b-a5b0-b69f3abd6880/
SH256 hash:
4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81
MD5 hash:
892492c879d410e9e659be6c83674de1
SHA1 hash:
e71be2b641a6a42ab3f0cbcb67867ff515839317
Link:
https://www.unpac.me/results/98412c81-7b44-4f3b-a5b0-b69f3abd6880/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RevengeRAT

Executable exe 4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1435570/
Cape
Cape
https://www.capesandbox.com/analysis/170380/

Comments


Avatar
zbet commented on 2021-07-08 08:43:47 UTC

url : hxxp://porncamsworld.com/revenge.exe