MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dd82c8cfe6e1bd52dc523ba8bb6bb1891f95fcc7187e4f4817400eb3547cda9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dd82c8cfe6e1bd52dc523ba8bb6bb1891f95fcc7187e4f4817400eb3547cda9
SHA3-384 hash: 4e7840d6c5202dd0575350fd0bdfa021a224ac209c3f193bd10e5034a3e520590f840d28f930b69a653cc2d25d0cfb2f
SHA1 hash: e4868eac22f6dda6160da5aa9929b5c732ce74f6
MD5 hash: f898e240cdab196a4a4045a9475e1641
humanhash: johnny-violet-butter-arizona
File name:4DD82C8CFE6E1BD52DC523BA8BB6BB1891F95FCC7187E.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:156'160 bytes
First seen:2023-01-25 05:15:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 3072:cYLvQhh2YZsMFw3GmQ8gM4fNXI614xGBD94lh4c0BoO5mkhltVhFFElbHF9FFFNK:lLIH2YTFhH5FFElbHF9FFFNABlFFFFNB
Threatray 134 similar samples on MalwareBazaar
TLSH T1E3E3D8261BC96A06E5BD93741F7212C487BA8D91C306E72ABFC6059049FFD4FBE02746
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 414545c0d4c05503 (38 x njrat, 3 x AsyncRAT, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe RevengeRAT


Avatar
abuse_ch
RevengeRAT C2:
192.169.69.25:333

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
revenge
Create hunting rule
ID:
1
File name:
4DD82C8CFE6E1BD52DC523BA8BB6BB1891F95FCC7187E.exe
Verdict:
Malicious activity
Analysis date:
2023-01-25 05:18:13 UTC
Tags:
trojan rat revenge
Link:
https://app.any.run/tasks/b8bb226a-7f2d-467c-afd3-a0f804752c05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356617/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed revenge revetrat zpevdo
Link:
https://www.filescan.io/uploads/63d0bb141c9cbf7d625271af/reports/0a515865-6060-4e68-94a1-466331f3c5e4/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df087321-3f3e-401e-b27e-a2ee696c10d3
Result
Threat name:
Revenge
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1158485
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Detected Revenge RAT
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses dynamic DNS services
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dd82c8cfe6e1bd52dc523ba8bb6bb1891f95fcc7187e4f4817400eb3547cda9/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2019-07-25 17:12:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxmczdh6nyn5klofeo5ixnv3dci7sx6mogd6j5eboqaownkhzwuq._file
Verdict:
malicious
Similar samples:
0c00b32af72a76cebfff85259e60a8f4aea66e93f198774dc370f5713a53fe00
RevengeRAT
0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15
RevengeRAT
13c2861be151681dd93cc997b76d4481664d8b50d5ba0240517921a6462d964e
RevengeRAT
31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae
RevengeRAT
5877724afe41bb6092c7644c8dc4c77d6ba0c51b1bcaf2986488067fc8478ebe
RevengeRAT
7e699ba56009236e84633bd1b1d217bd658a0304d3138353094998779c69898c
RevengeRAT
832291f81a05ffa2de3e741812c0421cffae48f3abce407a5ba3e25bcb83a8d1
RevengeRAT
a8745addaf2f95e0fe6afbc6d6712f817d4a819cf1d08bf7c0ff01822e18e1db
RevengeRAT
ac610045393947ca964d28f15807b623953c07614539b724af3aad7902c53833
RevengeRAT
f709f443072b224af79f87bcf68c9ab90ff3c9b5823e6b7f3bd91f9af97c78ad
RevengeRAT
+ 124 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat stealer trojan
Link:
https://tria.ge/reports/230125-fx5ycsfa22/
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
RevengeRat Executable
RevengeRAT
Unpacked files
SH256 hash:
5973a09f51c0bc1a9f3aee715ac7f5fba39602ffa9525579bc4a1ae45acd071d
MD5 hash:
329606402229c90cdc48e6d8c0d7e8fb
SHA1 hash:
875e922c0e180142630f3d79a76932a098a15619
Detections:
win_revenge_rat_g2
Create hunting rule
Link:
https://www.unpac.me/results/005713d7-1251-4aa5-add2-da26256bd0dc/
SH256 hash:
4dd82c8cfe6e1bd52dc523ba8bb6bb1891f95fcc7187e4f4817400eb3547cda9
MD5 hash:
f898e240cdab196a4a4045a9475e1641
SHA1 hash:
e4868eac22f6dda6160da5aa9929b5c732ce74f6
Link:
https://www.unpac.me/results/005713d7-1251-4aa5-add2-da26256bd0dc/
Malware family:
RevengeRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4dd82c8cfe6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4dd82c8cfe6e1bd52dc523ba8bb6bb1891f95fcc7187e4f4817400eb3547cda9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/356617/

Comments