MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
SHA3-384 hash: 1d828a642fead01ee4ae7f0a1f171c985455ff343365367aeb49ccb6fe110c67478e25b879574164860a2d78661e0362
SHA1 hash: 84db67126574c21ef3233518452876ad123b4aa1
MD5 hash: 73619a5f7eab7a80e0fbbd5c8493c9b4
humanhash: zebra-wolfram-moon-thirteen
File name:Quotation #01521.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:835'584 bytes
First seen:2021-01-05 07:29:21 UTC
Last seen:2021-01-05 10:06:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:KS7/DxvkrhDdyquS7xY+kbB44daFa7XIEk9RC9uT0mSAQdP:b7cIqh7x78B4urLIvpT0mSAQdP
Threatray 81 similar samples on MalwareBazaar
TLSH 4F050782EA418672C467A131137DBE190B09EEF5315DDB1408DCBC177C6AB8D3B9AE63
Reporter abuse_ch
Tags:exe RAT RevengeRAT


Avatar
abuse_ch
Malspam distributing RevengeRAT:

HELO: pop1.ocnk.net
Sending IP: 210.224.191.16
From: Abdullakhan Huerta <abdullakhan@sigmalabels.ae>
Reply-To: abdullakhan@sigmalabels.ae
Subject: New ORDER Ref..#01521
Attachment: Quotation 01521.img (contains "Quotation #01521.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'373
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation #01521.exe
Verdict:
Malicious activity
Analysis date:
2021-01-05 07:32:42 UTC
Tags:
trojan rat revenge njrat bladabindi
Link:
https://app.any.run/tasks/c5adafdd-819f-45fd-b09c-8e2c9f30310c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RevengeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110511/
Detection(s):
SecuriteInfo.com.Artemis73619A5F7EAB.9017.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Sending a UDP request
Creating a file
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/573942
Signature
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
revengerat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pjjyxf44fijg7muh5v53wgfmkvuhe467xlbmbhpil4dtzg7v4ppq._file
Verdict:
unknown
Similar samples:
05bf19658e01f71db84080366721ac104481bd944e739802f7e46bdb8b210efa
RevengeRAT
0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2
RevengeRAT
144e3b521adb2f66b50fd33944e006ed93078559a0469ef44efad381d4865555
RevengeRAT
19d7b16a0a50b6eb2e79a6d04f1f4f8b17c9e82162ccdc0778cb0934af5b5657
RevengeRAT
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
RevengeRAT
3ba094f9ee7f050b817b94daad2e9b8334ecf138d474d54c993b2c3737c3eb34
RevengeRAT
77fb17512bdea82047a24a36b153ef5277e6be10c3dcd16e123468c9d7564176
RevengeRAT
94ad9a52ad59b1368c435cc1237918cec7826080b724bba5a63880829c96b064
RevengeRAT
ad6e93284e34255607659e7e078cd4f6c43d0858297ea612c4effed17330b63d
RevengeRAT
b678f8fc8345839947b67e710f534a46b7bf435187d2d31d89c51e687af9dea4
RevengeRAT
+ 71 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat botnet:2021 persistence stealer trojan
Link:
https://tria.ge/reports/210105-nbpajjepkn/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
RevengeRat Executable
RevengeRAT
Malware Config
C2 Extraction:
chongmei33.myddns.rocks:57438
37.120.208.40:57438
Unpacked files
SH256 hash:
7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
MD5 hash:
73619a5f7eab7a80e0fbbd5c8493c9b4
SHA1 hash:
84db67126574c21ef3233518452876ad123b4aa1
Link:
https://www.unpac.me/results/264906a4-645d-4aa8-aaa3-751dc40c0766/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/264906a4-645d-4aa8-aaa3-751dc40c0766/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/264906a4-645d-4aa8-aaa3-751dc40c0766/
SH256 hash:
50a5e178c99b30570e33de0af8c23d5e1497d9fcc25db7e75e7ddb872a57014b
MD5 hash:
9ae6ae612e96fdc0dc36b68f7775d926
SHA1 hash:
f5d215db48678f1e9e347468db4a4cd5dc9110de
Detections:
win_revenge_rat_g2
Create hunting rule
Link:
https://www.unpac.me/results/264906a4-645d-4aa8-aaa3-751dc40c0766/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RevengeRAT
Create hunting rule
Author:ditekSHen
Description:RevengeRAT and variants payload
Rule name:RevengeRAT_Sep17
Create hunting rule
Author:Florian Roth
Description:Detects RevengeRAT malware
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RevengeRAT

img d9507f342e1d1b97e33c8a4738dea70f502296d37581bc6270ccf56f15e05f22

RevengeRAT

Executable exe 7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df

(this sample)

  
Dropped by
MD5 c2e1ba0f582c7fc12e31e23cc9e489c7
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d9507f342e1d1b97e33c8a4738dea70f502296d37581bc6270ccf56f15e05f22
Cape
Cape
https://www.capesandbox.com/analysis/110511/

Comments