MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e0e0722ad9c0f97d3f5c3d3bffcdc1bcf7e1d69d26f868ee5780d1dd850c1ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e0e0722ad9c0f97d3f5c3d3bffcdc1bcf7e1d69d26f868ee5780d1dd850c1ef
SHA3-384 hash: 01d029c654d4b524bc86274299259999911bdb61c7f66e03342ccbaf08f78a1e6aca95e7a5c5089a01b4dc679225e2d1
SHA1 hash: 83d213483a0bb6055128cb730e3ee69a437aa0a9
MD5 hash: d14761b1e6085dd9049a2d7d6c447a01
humanhash: social-potato-kentucky-comet
File name:4E0E0722AD9C0F97D3F5C3D3BFFCDC1BCF7E1D69D26F8.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:9'362'631 bytes
First seen:2022-03-10 12:06:15 UTC
Last seen:2022-03-10 13:42:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 196608:8WSO+Y2oBk1btlU+TTr1m3kduzTE6AydJ8gaQmCOR7ZMwB3r0+:FT2ZlTTTZ21zA3ydJORVLr0+
TLSH T12D9633F4D2BAF013DC9ADDB07806FA3A68851E08670F9747278C3F365D631299E55E28
File icon (PE):PE icon
dhash icon 71f098bae2b4c869 (1 x RevengeRAT)
Reporter abuse_ch
Tags:exe RevengeRAT


Avatar
abuse_ch
RevengeRAT C2:
216.218.135.118:333

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
216.218.135.118:333 https://threatfox.abuse.ch/ioc/393395/

Intelligence

File Origin
# of uploads :
2
# of downloads :
602
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/249129/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.31771.12045.7275.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6229e9ed0cd58dbd92761ad9/reports/95669293-9f27-4569-b978-d31bde01e5b0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RevetRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2ad7859-5e23-4157-8779-bcad86fb886a
Result
Threat name:
CyaXSharp Loader RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/954168
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspicious Add Scheduled Task From User AppData Temp
Sigma detected: Suspicius Schtasks From Env Var Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Cassandra Crypter
Yara detected CyaXSharp Loader
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586648 Sample: 4E0E0722AD9C0F97D3F5C3D3BFF... Startdate: 10/03/2022 Architecture: WINDOWS Score: 100 51 store-images.s-microsoft.com 2->51 53 orisxao.ddns.net 2->53 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 12 other signatures 2->63 10 4E0E0722AD9C0F97D3F5C3D3BFFCDC1BCF7E1D69D26F8.exe 13 2->10         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\...\regdata.exe, PE32 10->41 dropped 43 C:\Users\user\AppData\Roaming\...\fp1011.exe, PE32 10->43 dropped 13 regdata.exe 6 10->13         started        17 fp1011.exe 2 10->17         started        process6 file7 45 C:\Users\user\AppData\Local\...\tmp770A.tmp, XML 13->45 dropped 47 C:\Users\user\AppData\Roaming\wUZkSUjG.exe, PE32 13->47 dropped 65 Writes to foreign memory regions 13->65 67 Allocates memory in foreign processes 13->67 69 Injects a PE file into a foreign processes 13->69 19 RegSvcs.exe 4 13->19         started        22 schtasks.exe 1 13->22         started        49 C:\Users\user\AppData\Local\...\fp1011.exe, PE32 17->49 dropped 24 fp1011.exe 60 17->24         started        signatures8 process9 dnsIp10 55 orisxao.ddns.net 216.218.135.118, 333, 49777, 49790 HURRICANEUS United States 19->55 27 conhost.exe 22->27         started        33 C:\Users\user\AppData\Local\...\setup.exe, PE32 24->33 dropped 35 C:\Users\user\AppData\Local\...\setup-x64.exe, PE32+ 24->35 dropped 37 C:\Users\user\AppData\Local\...\fpui10.dll, PE32 24->37 dropped 39 47 other files (none is malicious) 24->39 dropped 29 setup.exe 24->29         started        file11 process12 process13 31 setup-x64.exe 2 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e0e0722ad9c0f97d3f5c3d3bffcdc1bcf7e1d69d26f868ee5780d1dd850c1ef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 19:48:52 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyhaoivntqhzpu7vypj377g4dphx4hlj2jxyndxfpagr3wcqyhxq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220310-pac4hahggq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
32efd752cec76e4e265b5f94aaa5d295478430dcbb26e984aba3f695d1cca6b4
MD5 hash:
a9031f021edf96ef3aca03081836c559
SHA1 hash:
ef6deb541aee16d47814f0c7c895d0c5a2768b3c
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
8f143e9de1439afe5083bb546829b6e3f0f3541b3c294e2207ef399fb76ad28b
MD5 hash:
d907a7b67e9c230804b058eab40d1015
SHA1 hash:
86c7797cf4d8fc0d9c6afb78228dc7497ef8a730
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
1e5ad874d40e67421160c63d7ce32afe795338691a0d876bb671e90ef88d7b0f
MD5 hash:
2cdf4bc9382e1471f234488ac6d108d5
SHA1 hash:
273736cd627fa2695cc8065e43d967f162000471
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
c20bebf73b70860866620ca44c53fb10d2aa8964056e3a812d9db7fd10d31ace
MD5 hash:
474c9f9e0ee4f5a55f05f8e04627eddb
SHA1 hash:
678c9afe8c49601851e7c2c5c0d85e1b8f904344
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
aeefe34ec2e90a95c68cc9d42f22ce7f093076b359b2103e1da092e09baf4295
MD5 hash:
46d805b55f4d15280b06d1d6f42d2913
SHA1 hash:
b098d9699d8e6979277f5585ee8125d894c8e652
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
d3695b89779c49f11802ff262cc2947584bea776d6c21565237ff70f53e03cf9
MD5 hash:
8f7842b6ad7107411db763d6aeec3f56
SHA1 hash:
42fb1d40e03357ae13a8fc71cdf5de51c908ae48
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
034c06f77c8008d0a1f3e2913223c563de9abbb4090f05c1b174ce5859b1b688
MD5 hash:
f9341d1afd00646048b1d1a7b6048a71
SHA1 hash:
2136dd87042e1891b46d9cd2b64b14d680faad14
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
c6b4b7a71ddbcd6e3467d84a1de08036f3fa8e2f8ff885e9788fa9ea48370c85
MD5 hash:
8c83ebc3863261e9947f1d784162e0a6
SHA1 hash:
046432aa00d141af13cf3cecdaefb7a7ad85f013
Detections:
win_revenge_rat_g2
Create hunting rule
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
f18325809b8d53fef0a1a67b219e8d8d06e870dd4d6f6beefe8e51c15f956638
MD5 hash:
dd8b9781024d4b535b212c2aaf93a1f0
SHA1 hash:
f2f0ee61902b4ff56bc202ef78d374bf6ba52192
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
SH256 hash:
4e0e0722ad9c0f97d3f5c3d3bffcdc1bcf7e1d69d26f868ee5780d1dd850c1ef
MD5 hash:
d14761b1e6085dd9049a2d7d6c447a01
SHA1 hash:
83d213483a0bb6055128cb730e3ee69a437aa0a9
Link:
https://www.unpac.me/results/85a8d8e5-dad3-4c68-96f3-7d2aaaebaff8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e0e0722ad9c0f97d3f5c3d3bffcdc1bcf7e1d69d26f868ee5780d1dd850c1ef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/249129/

Comments