MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f549d7c1524df9f8b0dd28d440a0c55bb3ef49c1c9114b43e67545ca727e9d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f549d7c1524df9f8b0dd28d440a0c55bb3ef49c1c9114b43e67545ca727e9d9
SHA3-384 hash: d1adcfa4e8f9c8392503f94d6bf9669284a42655523a384db2f5e80fec2cb5af577e612d8ecc056b78ee6af638579d30
SHA1 hash: 3abb538e25c7d67420c9b5cba27c3e0f3589b3c2
MD5 hash: 4dbcad0928d1922aebb5a6269e0590e4
humanhash: hawaii-solar-saturn-triple
File name:4DBCAD0928D1922AEBB5A6269E0590E4.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:268'800 bytes
First seen:2021-06-16 19:06:00 UTC
Last seen:2021-06-16 19:43:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:xhZGSlMivfO5ca3Uzje4GKUtmzcDImnJfy:DUSlMiv22a3wjsmzcDIm
Threatray 139 similar samples on MalwareBazaar
TLSH D344AF0197BD4F65E3AA2778C2A511054B28BA44C2CFE74F608E0BA9FC417FBE963457
Reporter abuse_ch
Tags:exe RevengeRAT


Avatar
abuse_ch
RevengeRAT C2:
85.86.181.192:3333

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
85.86.181.192:3333 https://threatfox.abuse.ch/ioc/130926/

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'070
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4DBCAD0928D1922AEBB5A6269E0590E4.exe
Verdict:
Malicious activity
Analysis date:
2021-06-16 19:08:23 UTC
Tags:
trojan rat revenge
Link:
https://app.any.run/tasks/8e1fa591-5de6-4664-8e84-08515a8b09fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.12557.14392.2051.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a UDP request
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Creating a file
Enabling the 'hidden' option for analyzed file
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/48b10753-0619-47c9-b6b7-c3cb0496b62b
Result
Threat name:
Revenge RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803308
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Revenge RAT
Drops PE files to the startup folder
Found malware configuration
Found RAT behaviour (information extraction to be send to C&C)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435719 Sample: Te7jI58Zun.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 8 other signatures 2->55 8 Te7jI58Zun.exe 1 2->8         started        11 igfxCUIService.exe 2->11         started        14 igfxCUIService.exe 2->14         started        16 igfxCUIService.exe 2->16         started        process3 file4 39 C:\Users\user\AppData\...\Te7jI58Zun.exe.log, ASCII 8->39 dropped 18 Te7jI58Zun.exe 5 8->18         started        63 Injects a PE file into a foreign processes 11->63 22 igfxCUIService.exe 11->22         started        24 igfxCUIService.exe 16->24         started        signatures5 process6 dnsIp7 45 127.0.0.1 unknown unknown 18->45 35 C:\Users\user\AppData\...\igfxCUIService.exe, PE32 18->35 dropped 37 C:\...\igfxCUIService.exe:Zone.Identifier, ASCII 18->37 dropped 26 igfxCUIService.exe 1 18->26         started        file8 process9 signatures10 57 Antivirus detection for dropped file 26->57 59 Multi AV Scanner detection for dropped file 26->59 61 Drops PE files to the startup folder 26->61 29 igfxCUIService.exe 1 4 26->29         started        33 igfxCUIService.exe 26->33         started        process11 dnsIp12 47 ninfaaruna.ddns.net 85.86.181.192, 3333, 49727 EUSKALTELES Spain 29->47 41 C:\Users\user\AppData\...\igfxCUIService.exe, PE32 29->41 dropped 43 C:\...\igfxCUIService.exe:Zone.Identifier, ASCII 29->43 dropped file13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f549d7c1524df9f8b0dd28d440a0c55bb3ef49c1c9114b43e67545ca727e9d9/
Threat name:
ByteCode-MSIL.Trojan.Rrat
Create hunting rule
Status:
Malicious
First seen:
2021-06-14 12:29:37 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5kj27avetpz7cyn2kguicqmkw5t55e4dsirjnb6m5kfzjzh5hmq._file
Verdict:
malicious
Similar samples:
19ec45b87d0faf9d142f42ddb2a00c6c92a7522e0a143016d78e237c3a1731c3
RevengeRAT
4c09941ea97cf7234c04823c8fe5e7214326f78019c418f5fad6a54032808523
RevengeRAT
96337453f859782a8193073c8d903ccbe44fc23e86af0e1c08e53cc91aafc44a
RevengeRAT
a0cfcc96d6892c6416c98bd378714d5efc811d8f3dfbf97c1b84632a3db3d2f2
RevengeRAT
ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a
RevengeRAT
db5eb754fff22b0478702d838e7b0e4d7285e8859a4bcf6fe1288ca83ff16a8b
RevengeRAT
df94bb47792b33ee6ed059863be6e54764af7e128f944b677dcdac07518c3c09
RevengeRAT
e5223d2f96963acd0f798655baadb74bb1260b1342e2839bceadc0daba6c5f78
RevengeRAT
fb7d52bfdf184bb47501b1b33ab849c317527c6cee28753c6e8ddee22f599fce
RevengeRAT
febdef9974bf664409076ee9ac44df9160df5b01ddde04dc9218ad731ca7486e
RevengeRAT
+ 129 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat botnet:....ali2 persistence stealer trojan
Link:
https://tria.ge/reports/210616-fyvesqctqs/
Behaviour
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
RevengeRat Executable
RevengeRAT
Malware Config
C2 Extraction:
127.0.0.1:3333
ninfaaruna.ddns.net:3333
ninfaaruna1.ddns.net:3333
anunankis1.duckdns.org:3333
anunankis10.duckdns.org:3333
Unpacked files
SH256 hash:
2c23878d0c9da152f47dd1ce09938fa324c19e7ce2398ff43f3df95f6f1ee76d
MD5 hash:
7516be3a354e4d245e52ace1e905fc0c
SHA1 hash:
fc85df8cd7ceb0bc596e3dc0ae1e6029d85bdd9e
Link:
https://www.unpac.me/results/06a880e3-2533-40d4-817b-a8a14127aa7e/
SH256 hash:
9f549d7c1524df9f8b0dd28d440a0c55bb3ef49c1c9114b43e67545ca727e9d9
MD5 hash:
4dbcad0928d1922aebb5a6269e0590e4
SHA1 hash:
3abb538e25c7d67420c9b5cba27c3e0f3589b3c2
Link:
https://www.unpac.me/results/06a880e3-2533-40d4-817b-a8a14127aa7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
RevengeRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f549d7c1524df9f8b0dd28d440a0c55bb3ef49c1c9114b43e67545ca727e9d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:MALWARE_Win_RevengeRAT
Create hunting rule
Author:ditekSHen
Description:RevengeRAT and variants payload
Rule name:pe_imphash
Create hunting rule
Rule name:RevengeRAT_Sep17
Create hunting rule
Author:Florian Roth
Description:Detects RevengeRAT malware
Reference:Internal Research
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments