MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86ff5481ed934d43bc54c3a0d9989958c0de24aec0fb74404dac36a594193ed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 2 File information Comments

SHA256 hash:	86ff5481ed934d43bc54c3a0d9989958c0de24aec0fb74404dac36a594193ed2
SHA3-384 hash:	00fd716da563f66706fdc9e427aba6b51dcd2338a8f285b389defea59563688f513f1127e9e732b3deae7aa3f0864786
SHA1 hash:	4d371844e5961b734c69da1d51d288b295a40961
MD5 hash:	97ef10ac31850230463b782f6739b5b5
humanhash:	tennis-asparagus-nine-beer
File name:	Inquiry for PR#4200027219 2.exe
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	1'023'488 bytes
First seen:	2021-06-07 05:41:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	24576:8oTGNUVYtXiZbDaB+poDS7ynhbUZvGMeqY4FX8xfIDRZ6RjFBUSC2yQw:oUYtXiZvQTcyhbUZnbY4FX8uv6pFqY
Threatray	59 similar samples on MalwareBazaar
TLSH	7525F1323344AB6AEA39B3B55001401293F2ED4BE325D65E7EEDB2DE1439E414772A73
Reporter	abuse_ch
Tags:	exe RevengeRAT

abuse_ch

RevengeRAT C2:
77.247.110.178:5040

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
77.247.110.178:5040	https://threatfox.abuse.ch/ioc/72143/

Intelligence

File Origin

# of uploads :

# of downloads :

1'039

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Inquiry for PR#4200027219 2.exe

Verdict:

Malicious activity

Analysis date:

2021-06-07 06:42:14 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/ec111438-dd2b-43df-b65e-9ab71687cf2c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/164848/

Detection(s):

PUA.Win.Packer.LyWgkx-2

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RevengeRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/797869

Signature

.NET source code contains potential unpacker

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM3

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/86ff5481ed934d43bc54c3a0d9989958c0de24aec0fb74404dac36a594193ed2/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2021-06-06 22:08:33 UTC

AV detection:

2 of 47 (4.26%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q37vjapnsnguhpcuyoqntgezldan4jfoyd5xiqcnvq3klfazh3ja._file

Verdict:

unknown

RevengeRAT

1c68c7d0a33bea86a5196da97d0e2be82969b64514afcf1c02e83f9d7d342aad

RevengeRAT

64eeadd93ba9b31f35ee2a2d690368dd4ec022e92799d7e770a38df9d7377510

RevengeRAT

70466eb081829487f1d792ca76eafd8c1b2a7a0c8662bab867cb9d04f5ba1ea4

RevengeRAT

9ae2406d2aa40f7c55cca65a53a99174cd77ff24485c3365aac784e97fa85315

RevengeRAT

d9c774da1847e6abed398456df41591676c2db746a6be0282cb36913a9a93806

RevengeRAT

e1e5660d2736e09d353270b8cf9276a500e1f8f54eb995e8c6fb4906431986ed

RevengeRAT

ea0c07c2684522e76b64fc26318a4f6c1b94e460a8eafd920977b2ed84efb6a7

RevengeRAT

f2c1565dcd3964a6a694eeb7701f09285edbad13887fed008e707cb65f981afd

RevengeRAT

f7485552ad15dd1f3dce2579b733e104dea810e8bbc1defd06fc4de935ca6a17

RevengeRAT

+ 49 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210607-dtg136l3be/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

34e69e90b7cb6121c3f93911f21dfb00491ea5d5bb79bfce4902d04f72c24184

MD5 hash:

b6b086a0ab13f3feb9ee8c846d230e5d

SHA1 hash:

dd8e1b816f3e7d9dcfa6eddc20a27fe0fbed478a

Link:

https://www.unpac.me/results/4c4c7b5a-21e7-4777-a378-2d53ad53586c/

SH256 hash:

86ff5481ed934d43bc54c3a0d9989958c0de24aec0fb74404dac36a594193ed2

MD5 hash:

97ef10ac31850230463b782f6739b5b5

SHA1 hash:

4d371844e5961b734c69da1d51d288b295a40961

Link:

https://www.unpac.me/results/4c4c7b5a-21e7-4777-a378-2d53ad53586c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/86ff5481ed934d43bc54c3a0d9989958c0de24aec0fb74404dac36a594193ed2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/164848/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample