MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a
SHA3-384 hash:	390b4fcfdcdd570f80aa57aabe0c2c040c079c79d38bf6da629cafaa289bd358fcae0bffab8da83c62a9175b4ae710ee
SHA1 hash:	16b5c5b0de016ef030b966533e374cbfcbb07628
MD5 hash:	8bebd374905cc33e3de17132a7b181c4
humanhash:	princess-india-carpet-potato
File name:	ti8Pmv4G.exe
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	17'408 bytes
First seen:	2020-12-22 12:47:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'841 x AgentTesla, 19'773 x Formbook, 12'296 x SnakeKeylogger)
ssdeep	384:2e9jSLvRPJnMtHdJ2OmbaiwjbAsVKKyuIO2stn4:2eh7J5mbNzAD2Y4
Threatray	106 similar samples on MalwareBazaar
TLSH	EE722AA667F88B12C1FE2B3D452270126730C6DBD621C72E29D9A0FB77A37C159407E6
Reporter	pmelson
Tags:	exe Revenge RevengeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

1'645

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ti8Pmv4G.exe

Verdict:

Malicious activity

Analysis date:

2020-12-22 13:20:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/50e87d67-47ff-4f5b-8b45-1ba1d8105d77

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RevengeRAT

Link:

https://www.capesandbox.com/analysis/108877/

Detection(s):

Win.Trojan.RevengeRat-6344273-0

Win.Dropper.LimeRAT-9776087-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Enabling the 'hidden' option for analyzed file

DNS request

Using the Windows Management Instrumentation requests

Sending a UDP request

Creating a process from a recently created file

Creating a file

Enabling the 'hidden' option for recently created files

Connection attempt

Sending a TCP request to an infection source

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Revenge RevengeRAT

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/568287

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Revenge RAT

Detected unpacking (overwrites its own PE header)

Drops PE files to the startup folder

Found RAT behaviour (information extraction to be send to C&C)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

revengerat

Link:

https://mwdb.cert.pl/sample/ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a/

Threat name:

Win32.Backdoor.RevengeRAT

Status:

Malicious

First seen:

2020-12-22 12:48:07 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vvetpxz7x4nsjk3vx42tiplpkhqqh63wg6e5gie6ruc5xzqv6z5a._file

Verdict:

malicious

RevengeRAT

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae

RevengeRAT

56e5859ed8dc27386e209b3cd4959be7c76c33b0b59deb8e4449cf23e99d4cbc

RevengeRAT

7bf399fd2232c77977014fb0089ee9c6b987c8833a6dbfbd33ec5c5e2c34ee6e

RevengeRAT

8efd6f95c39e86627b1f9cc553fa7bed152dbf4788662bee15d3b5bdf0c1b79e

RevengeRAT

9c3c91edfaefea76fb34eddc89c356e32e0adf3d64ea020f61741020293d9b5b

RevengeRAT

a0cfcc96d6892c6416c98bd378714d5efc811d8f3dfbf97c1b84632a3db3d2f2

RevengeRAT

b523a7038662d534bd80af942685562a66e6364bf0fbf68aecf9f1131363543d

RevengeRAT

e5223d2f96963acd0f798655baadb74bb1260b1342e2839bceadc0daba6c5f78

RevengeRAT

fb7d52bfdf184bb47501b1b33ab849c317527c6cee28753c6e8ddee22f599fce

RevengeRAT

+ 96 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat botnet:guest stealer trojan

Link:

https://tria.ge/reports/201222-ae99tycrx2/

Behaviour

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops startup file

Executes dropped EXE

RevengeRat Executable

RevengeRAT

Malware Config

C2 Extraction:

tchelero-55169.portmap.host:55169
tchelero-55169.portmap.host:80
192.168.1.100:55169
192.168.1.100:80

Unpacked files

SH256 hash:

ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a

MD5 hash:

8bebd374905cc33e3de17132a7b181c4

SHA1 hash:

16b5c5b0de016ef030b966533e374cbfcbb07628

Detections:

win_revenge_rat_g2

Link:

https://www.unpac.me/results/793106ee-d93a-4ab6-94ca-42a88160b61c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

RevengeRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RevengeRAT Create hunting rule
Author:	ditekshen
Description:	RevengeRAT and variants payload

Rule name:	RevengeRAT_Sep17 Create hunting rule
Author:	Florian Roth
Description:	Detects RevengeRAT malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RevengeRAT

exe ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a

(this sample)

Link

https://www.virustotal.com/gui/file/ad4937df3fbf1b24ab75bf35343d6f51e103fb763789d3209e8d05dbe615f67a/detection

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/108877/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample