MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52dbad297f44b652a0902a67c244a4f83274dbb0936cb6aa0a7437d03e2f869b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52dbad297f44b652a0902a67c244a4f83274dbb0936cb6aa0a7437d03e2f869b
SHA3-384 hash: b6cf2765195800b9c0bf37c01c570dc56d8c4e7fba2b17a4b17fb1abb63d0904931a037f559b657ac4f6909e916b700c
SHA1 hash: 80326b505cae1251fc83461d1085a93dc7550e4e
MD5 hash: ae4ca8e683eb57d16837b1f864b43a9c
humanhash: spring-oregon-solar-muppet
File name:ae4ca8e683eb57d16837b1f864b43a9c.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:1'684'992 bytes
First seen:2022-04-15 23:30:54 UTC
Last seen:2022-04-20 10:20:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'930 x AgentTesla, 19'824 x Formbook, 12'310 x SnakeKeylogger)
ssdeep 24576:3+/3qlrCNoh+UqgIwhCNoh+JR9FrIJJpCNoh+7b4S7k5hdC1HPzgz8HjxJzp3k9v:u/iJe2URoG9v0zIjx33k92
Threatray 17 similar samples on MalwareBazaar
TLSH T1E7758C61335125A6DA59D277C192F88007B3BD63673FC26A2CD662BD4D833C9AE03B53
TrID 48.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.6% (.SCR) Windows screen saver (13101/52/3)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 6cc6869cdce992d2 (1 x RevengeRAT)
Reporter abuse_ch
Tags:exe RevengeRAT


Avatar
abuse_ch
RevengeRAT C2:
147.135.21.144:1111

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.135.21.144:1111 https://threatfox.abuse.ch/ioc/520334/

Intelligence

File Origin
# of uploads :
3
# of downloads :
652
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
revenge
Create hunting rule
ID:
1
File name:
ae4ca8e683eb57d16837b1f864b43a9c.exe
Verdict:
Malicious activity
Analysis date:
2022-04-15 23:33:51 UTC
Tags:
trojan rat revenge
Link:
https://app.any.run/tasks/4e2801ef-6c7f-4eef-8665-7345d62c6f07

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264035/
Detection(s):
SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% subdirectories
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi control.exe obfuscated packed packed razy replace.exe
Link:
https://www.filescan.io/uploads/625a0037ffe27d5119e00531/reports/f9ad598b-6fb8-44ca-abbb-bc52f8cfba40/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec08dee8-ed9f-457b-b102-0035626ed6b6
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/977557
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Creates multiple autostart registry keys
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: File Created with System Process Name
Sigma detected: Suspcious CLR Logs Creation
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610044 Sample: Xv182IrXqC.exe Startdate: 16/04/2022 Architecture: WINDOWS Score: 100 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Multi AV Scanner detection for domain / URL 2->96 98 Found malware configuration 2->98 100 14 other signatures 2->100 8 Xv182IrXqC.exe 6 2->8         started        11 explorer.exe 2->11         started        15 svchost.exe 2->15         started        17 12 other processes 2->17 process3 dnsIp4 52 C:\Users\user\...\SMS Bomber V1 AGC007 .exe, PE32 8->52 dropped 54 C:\Users\user\AppData\Local\Temp\Setup.exe, PE32 8->54 dropped 56 C:\Users\user\AppData\...\Xv182IrXqC.exe.log, ASCII 8->56 dropped 19 Setup.exe 1 7 8->19         started        23 SMS Bomber V1 AGC007 .exe 2 8->23         started        25 Setup.exe 3 8->25         started        80 2 other IPs or domains 11->80 128 Antivirus detection for dropped file 11->128 130 System process connects to network (likely due to code injection or exploit) 11->130 132 Multi AV Scanner detection for dropped file 11->132 138 2 other signatures 11->138 70 capeturk.com 15->70 72 blogspot.l.googleusercontent.com 15->72 74 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com 15->74 27 explorer.exe 15->27         started        76 capeturk.com 17->76 78 127.0.0.1 unknown unknown 17->78 82 4 other IPs or domains 17->82 134 Query firmware table information (likely to detect VMs) 17->134 136 Changes security center settings (notifications, updates, antivirus, firewall) 17->136 30 explorer.exe 17->30         started        32 MpCmdRun.exe 17->32         started        file5 signatures6 process7 dnsIp8 46 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 19->46 dropped 102 Multi AV Scanner detection for dropped file 19->102 104 Detected unpacking (overwrites its own PE header) 19->104 106 Machine Learning detection for dropped file 19->106 110 2 other signatures 19->110 34 svchost.exe 9 19->34         started        84 blog.capeturk.com 147.135.21.144, 1111, 49724 OVHFR United States 27->84 86 blogspot.l.googleusercontent.com 27->86 88 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com 27->88 108 System process connects to network (likely due to code injection or exploit) 27->108 90 blogspot.l.googleusercontent.com 30->90 92 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com 30->92 39 conhost.exe 32->39         started        file9 signatures10 process11 dnsIp12 60 capeturk.com 144.126.144.223, 49710, 49711, 49717 LOYOLAUS United States 34->60 62 blogspot.l.googleusercontent.com 142.250.186.65, 443, 49712, 49719 GOOGLEUS United States 34->62 64 2 other IPs or domains 34->64 48 C:\Users\user\AppData\...\explorer.exe, PE32 34->48 dropped 50 C:\Users\user\AppData\...\svchost.exe.log, ASCII 34->50 dropped 112 System process connects to network (likely due to code injection or exploit) 34->112 114 Multi AV Scanner detection for dropped file 34->114 116 Detected unpacking (overwrites its own PE header) 34->116 118 2 other signatures 34->118 41 explorer.exe 34->41         started        file13 signatures14 process15 dnsIp16 66 blogspot.l.googleusercontent.com 41->66 68 aaaaaaaaaaaaabbbbbbbbbbbbbb.blogspot.com 41->68 58 C:\Users\user\AppData\...\explorer.exe, PE32 41->58 dropped 120 Antivirus detection for dropped file 41->120 122 System process connects to network (likely due to code injection or exploit) 41->122 124 Multi AV Scanner detection for dropped file 41->124 126 4 other signatures 41->126 file17 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52dbad297f44b652a0902a67c244a4f83274dbb0936cb6aa0a7437d03e2f869b/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-04-11 04:55:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
60
AV detection:
29 of 42 (69.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kln22kl7is3ffieqfjt4erfe7azhjw5qsnwlnkqkoq35aprpq2nq._file
Verdict:
malicious
Similar samples:
066bdbaf5b5526cc3040573bea83da7a384e0c97df13d50a7cc0716b1dd8e6ac
RevengeRAT
27b1723e770a97166455a9b7edd4c7e3ee89ac046ef8dad51f7a48ac7c71c006
RevengeRAT
587ccc1e9cb1ab35402bd58787fa9f02646f9561f8f7906d09095a62fbc9149f
RevengeRAT
6ee54c5576668d306e93e6c1e08c21a804eb0b52cd0fece6b8f2637f9738476b
RevengeRAT
a9d6aa7ef3fde33eb2df6b9c3ec92965f066049cacba533ffc09a877133b809e
RevengeRAT
b3455d9d3bf50da0762a0d2aa57f4041af76b86024376af1a07b774bb7166ffc
RevengeRAT
bebb125456266d90678d0bb26ec95a812a96edd68523d41b00a7d7c9ead8a821
RevengeRAT
ca81dddc3114741ff564c3363e4138689286857db50f32cd1c75ae22fe68be64
RevengeRAT
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220415-3hn3magfc5/
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
9fc1a36d5d711356e2e06f26e4d79462ee7ac35782c7598c47cc0a2c9c8bcb8c
MD5 hash:
6c2c7fdd4a6b7cc59202e5e8e6cc4b56
SHA1 hash:
b80acf59f4e996069a103fdc9d5c3a85fbe560db
Link:
https://www.unpac.me/results/8f17ef4f-b08a-421e-8f99-d4455a914d15/
SH256 hash:
c2db3ae82d4045973d86ccf58c98541e6bb768d13693ec2f4b866dfc7fbf79de
MD5 hash:
1653256765d0a25e6f21525131f477f4
SHA1 hash:
38862bf0a07c3ca11e19b15fb00cbb760faae6de
Link:
https://www.unpac.me/results/8f17ef4f-b08a-421e-8f99-d4455a914d15/
SH256 hash:
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49
MD5 hash:
34ea7f7d66563f724318e322ff08f4db
SHA1 hash:
d0aa8038a92eb43def2fffbbf4114b02636117c5
Link:
https://www.unpac.me/results/8f17ef4f-b08a-421e-8f99-d4455a914d15/
SH256 hash:
c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26
MD5 hash:
65ef4b23060128743cef937a43b82aa3
SHA1 hash:
cc72536b84384ec8479b9734b947dce885ef5d31
Link:
https://www.unpac.me/results/8f17ef4f-b08a-421e-8f99-d4455a914d15/
SH256 hash:
48ad6baa30283120858e3ae8d526cd0a5cb14a4f426c957304efad26d1a9a454
MD5 hash:
40600df9a23c8d0b50c712dabad90fc4
SHA1 hash:
17eeb30e5e2e5dca7201cf8fde9bbfdfc9c721b4
Link:
https://www.unpac.me/results/8f17ef4f-b08a-421e-8f99-d4455a914d15/
SH256 hash:
4450b392b1b4b66bb1ae42295637781e3e6fa5dabfc31e255e2741b80fd54ec7
MD5 hash:
3a31b99e7836b32e333ddb95bcaeeba3
SHA1 hash:
029f58bb9c2afe6bc2f811ecd88318d4eab4b39f
Link:
https://www.unpac.me/results/8f17ef4f-b08a-421e-8f99-d4455a914d15/
SH256 hash:
52dbad297f44b652a0902a67c244a4f83274dbb0936cb6aa0a7437d03e2f869b
MD5 hash:
ae4ca8e683eb57d16837b1f864b43a9c
SHA1 hash:
80326b505cae1251fc83461d1085a93dc7550e4e
Link:
https://www.unpac.me/results/8f17ef4f-b08a-421e-8f99-d4455a914d15/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52dbad297f44/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/52dbad297f44b652a0902a67c244a4f83274dbb0936cb6aa0a7437d03e2f869b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264035/

Comments