MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c8faa656313b10e7e2d76f25bc33bfddfbdf2582ba8fe8e0ed3a4ff2ad64c50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 9

Intelligence 9 IOCs 1 YARA File information Comments

SHA256 hash:	9c8faa656313b10e7e2d76f25bc33bfddfbdf2582ba8fe8e0ed3a4ff2ad64c50
SHA3-384 hash:	6e4cafda629e58782b9744aa558db8efafb856a0ffd8b2a150ce0cf39beb859c7b0c6ab4cfa2c441b0de97ada1d9868a
SHA1 hash:	578f634534ca0f06f135f6b565f711dfe8d483c2
MD5 hash:	48f850f90ba9dd0390c5eb42d0f9bef2
humanhash:	beer-michigan-eight-iowa
File name:	Solicitação nº 9822342.js
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	264'594 bytes
First seen:	2025-01-20 13:56:52 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	6144:FGfkaSPcuBpSEGBfpmxD8k0+gHisTt0mCIqceOlgeyy7U00MXfKG:UfkaSPJ96
TLSH	T11144E5784CF7143E1436DEA491C416C7AAA8175FFB990E4925A5E3CC0E47B0EAC3B91E
TrID	66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1) 33.3% (.MP3) MP3 audio (1000/1)
Magika	mp3
Reporter	abuse_ch
Tags:	js RAT RevengeRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
13.49.66.229:333	https://threatfox.abuse.ch/ioc/1387513/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.31320.UNOFFICIAL

SecuriteInfo.com.PUA.JS.Obfus-2525.UNOFFICIAL

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=678e5a7fb5602ee8cdada510

Tags:

obfuscate xtreme shell

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/9c8faa656313b10e7e2d76f25bc33bfddfbdf2582ba8fe8e0ed3a4ff2ad64c50

Result

Threat name:

RevengeRAT

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1595210

Signature

Bypasses PowerShell execution policy

Found RAT behaviour (information extraction to be send to C&C)

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/9c8faa656313b10e7e2d76f25bc33bfddfbdf2582ba8fe8e0ed3a4ff2ad64c50

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c8faa656313b10e7e2d76f25bc33bfddfbdf2582ba8fe8e0ed3a4ff2ad64c50/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-01-19 01:03:42 UTC

File Type:

Text (JavaScript)

AV detection:

1 of 38 (2.63%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tsh2uzldcoyq47rno3zfxqz37xp334syfoup5dqo2osp6kwwjria._file

Verdict:

malicious

Label(s):

revengerat

Similar samples:

error

RevengeRAT

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat botnet:nyancatrevenge execution trojan

Link:

https://tria.ge/reports/250120-q89qsssmcy/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Checks computer location settings

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

RevengeRAT

Revengerat family

Malware Config

C2 Extraction:

13.49.66.229:333

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c8faa656313b10e7e2d76f25bc33bfddfbdf2582ba8fe8e0ed3a4ff2ad64c50

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample