MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cf96df65a9ae5e9c54e3716b802260854b93d0cdf5686d49630204c3576bb78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	7cf96df65a9ae5e9c54e3716b802260854b93d0cdf5686d49630204c3576bb78
SHA3-384 hash:	d4f5fff3b3ac5fcde6a2564cd675c461aba43277a8013c2c07e18e8f67067b2e7fe8f9bca1f30720349a5631cd574121
SHA1 hash:	46bc9999baf89dabdd1108d5ab643fe24940ca1f
MD5 hash:	0e169c99a16915d62af16dd897b9f410
humanhash:	spring-emma-april-florida
File name:	0e169c99a16915d62af16dd897b9f410
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	347'592 bytes
First seen:	2020-11-17 11:52:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:3xYnfrsNsXoV5PSuDtvj4IM35d6pDcHxWNhIiyR1cF/Dm8jCxZj7TMO:34frlXSPSc4pYeHgy1sCxpTMO
Threatray	55 similar samples on MalwareBazaar
TLSH	E574D09C69AC6933C7D76BB6D2B69D201779A30BEB478BC5A140C1E50F422C82C653F7
Reporter	seifreed
Tags:	RevengeRAT

Code Signing Certificate

Organisation:	Google LLC
Issuer:	DigiCert Assured ID Code Signing CA-1
Algorithm:	sha1WithRSAEncryption
Valid from:	Nov 8 00:00:00 2019 GMT
Valid to:	Nov 16 12:00:00 2022 GMT
Serial number:	06AEA76BAC46A9E8CFE6D29E45AAF033
Intelligence:	16 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	5F2F2840C6E51D17F09334ADA05D9DCDD9AEEB11AF0AE163816757D539ABE3EE
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

1'085

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Variant.Adware.BrowseFox.62.UNOFFICIAL

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a file

Connection attempt

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7cf96df65a9ae5e9c54e3716b802260854b93d0cdf5686d49630204c3576bb78/

Threat name:

ByteCode-MSIL.Backdoor.Rrat

Status:

Malicious

First seen:

2020-11-07 03:12:23 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pt4w35s2tls6trkog4llqargbbklspim35linvewgaqeynlwxn4a._file

Verdict:

malicious

RevengeRAT

7af6be720f63c86de10443745e332a5717aa9b14fa3e8ecca584ef370f2080da

RevengeRAT

85e13a72f67635d8590b1952332a37371f5f06400cedd60cd8c85415a051c031

RevengeRAT

a324263f8734bb62ba035022d5533419994482ccd63f8adbf717ae52a9c2e6e1

RevengeRAT

d85497f61b07d8f8cc30c3c66ab21883a0274c7a3e7bc982a3a622ca2eed39a4

RevengeRAT

e0287568096f94034a8746adef8f4c08db4ef5f51134f90740b1c72eb1b1eb0b

RevengeRAT

e44ea6095036b15910c82941c0c3af5178687d3deeb9954adf9967cd833b9349

RevengeRAT

e72478765908b84f150ef0b7e895cfca0780a9107de6cf819ec5715f6f179acd

RevengeRAT

ed5c6f06e459285fa5e621026be965558add0841e7426ecee6d3e41d5e9b9761

RevengeRAT

edcf2ab0937689a7e0475395a8654f874e413649ee63100e61c4d1a8c09ba681

RevengeRAT

+ 45 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat stealer trojan

Link:

https://tria.ge/reports/201117-spebkeazdx/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RevengeRat Executable

RevengeRAT

Unpacked files

SH256 hash:

7cf96df65a9ae5e9c54e3716b802260854b93d0cdf5686d49630204c3576bb78

MD5 hash:

0e169c99a16915d62af16dd897b9f410

SHA1 hash:

46bc9999baf89dabdd1108d5ab643fe24940ca1f

Link:

https://www.unpac.me/results/7d03c990-590c-44b4-8efa-b34af95d7c02/

SH256 hash:

3fe966e21625f83eccdcc49762305a16e6c488397b4e08a98e1be48d93c3a571

MD5 hash:

884c22791622cbd6edc8ad0dfcea87f2

SHA1 hash:

8b2b539c86f49597a05a289fda4ac27b2fd1c177

Link:

https://www.unpac.me/results/7d03c990-590c-44b4-8efa-b34af95d7c02/

Parent samples :

fb50faa852bc2917ace3552b02c754c91872d0892e247f51a1e48336e598d6ef
6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487
8e36d4f98a882487bedbedf73cbb010f793c7bb529d133a58673a14850198f9f

SH256 hash:

293c150c96f1950b93a69c25e7390b51f450d65c2e0e5284aea4e866489e9d47

MD5 hash:

7547f4cede3ade78417c2fc643ed4517

SHA1 hash:

9101bb860df9dec729c12f80a80bb1625ab4b68b

Link:

https://www.unpac.me/results/7d03c990-590c-44b4-8efa-b34af95d7c02/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	RevengeRAT_Sep17 Create hunting rule
Author:	Florian Roth
Description:	Detects RevengeRAT malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample