MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae53e7a0d59686d3684ed1e14bfee649f53a5fd369090d916a81f74091368b65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	ae53e7a0d59686d3684ed1e14bfee649f53a5fd369090d916a81f74091368b65
SHA3-384 hash:	ae6ad49b003c28452dd62001339c0777d30930d41d1d407b767108bf9fe67d273e2f7e13deb473751c23558c0946f4c1
SHA1 hash:	d4c05259f35840e96232bc41e1bd14defc73988f
MD5 hash:	aa9f37ce187d4b4556807f49f57ca678
humanhash:	paris-aspen-salami-beryllium
File name:	43SjNv5s.exe
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	22'016 bytes
First seen:	2020-12-01 16:02:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep	384:8MOBXZNFvRPJnMkQ0zY/4o/JQGnAsVKWPyNYmMvo1CzYcHe+Z:8McZ3QTwUJ89hooszYcHe+Z
Threatray	100 similar samples on MalwareBazaar
TLSH	E2A2184EA7F85612D1FD13B92A6312126F35D6575A01CBAE38DC44AF6B733C08B812E2
Reporter	pmelson
Tags:	exe Revenge RevengeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

1'456

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RevengeRAT

Link:

https://www.capesandbox.com/analysis/106272/

Detection(s):

Win.Trojan.RevengeRat-6344273-0

Win.Dropper.LimeRAT-9776087-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Enabling the 'hidden' option for analyzed file

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Revenge RevengeRAT

Detection:

malicious

Classification:

troj.evad

Score:

90 / 100

Link:

https://www.joesandbox.com/analysis/552582

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Detected Revenge RAT

Drops executables to the windows directory (C:\Windows) and starts them

Found RAT behaviour (information extraction to be send to C&C)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

revengerat

Link:

https://mwdb.cert.pl/sample/ae53e7a0d59686d3684ed1e14bfee649f53a5fd369090d916a81f74091368b65/

Threat name:

ByteCode-MSIL.Backdoor.RevengeRAT

Status:

Malicious

First seen:

2020-12-01 16:03:04 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vzj6pigvs2dng2co2hqux7xgjh2tux6tneeq3elkqh3ubejwrnsq._file

Verdict:

malicious

RevengeRAT

0f9f2ed3669af8502dfad754d0dc2e7682fe7bc4d0044f7cc3ca61a0e1170d15

RevengeRAT

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae

RevengeRAT

56e5859ed8dc27386e209b3cd4959be7c76c33b0b59deb8e4449cf23e99d4cbc

RevengeRAT

7bf399fd2232c77977014fb0089ee9c6b987c8833a6dbfbd33ec5c5e2c34ee6e

RevengeRAT

8efd6f95c39e86627b1f9cc553fa7bed152dbf4788662bee15d3b5bdf0c1b79e

RevengeRAT

9c3c91edfaefea76fb34eddc89c356e32e0adf3d64ea020f61741020293d9b5b

RevengeRAT

b523a7038662d534bd80af942685562a66e6364bf0fbf68aecf9f1131363543d

RevengeRAT

d6b9a90b9c36ffb66a0bb4014ea50d5904400d774755a7d2edbb38f153b848c5

RevengeRAT

ed7c7b0532ef7edc3a22795f2d5d60cbd7c7a3ffda4f1810e3b8295ca2fe0bf5

RevengeRAT

+ 90 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat botnet:guest spyware stealer trojan

Link:

https://tria.ge/reports/201201-bfqa3ap92x/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in System32 directory

Reads user/profile data of web browsers

Executes dropped EXE

RevengeRat Executable

RevengeRAT

Malware Config

C2 Extraction:

4.tcp.ngrok.io:13284

Unpacked files

SH256 hash:

ae53e7a0d59686d3684ed1e14bfee649f53a5fd369090d916a81f74091368b65

MD5 hash:

aa9f37ce187d4b4556807f49f57ca678

SHA1 hash:

d4c05259f35840e96232bc41e1bd14defc73988f

Detections:

win_revenge_rat_g2

Link:

https://www.unpac.me/results/38416db1-93f9-4442-b76e-824fd9558c88/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae53e7a0d59686d3684ed1e14bfee649f53a5fd369090d916a81f74091368b65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.