MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d
SHA3-384 hash:	8703edecaa548062364531dfea9f6e96e0085d66f84168174621b2e18f4c3154751e59a4cd7708e8abd3bca99ade2533
SHA1 hash:	f9d0711a8f6f430ec3bfc597be43592cebdc649e
MD5 hash:	965a50b0cb0e05ba3fb39aa2dfb64980
humanhash:	july-crazy-december-vermont
File name:	ReOrder & Drawing Samples.exe
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	347'136 bytes
First seen:	2020-08-14 10:05:07 UTC
Last seen:	2020-08-14 11:01:56 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4a0c33d818fc4e67f31e25997fee8a14 (1 x AgentTesla, 1 x RevengeRAT)
ssdeep	6144:fAevPxhcSWjZkZbIVPgfyWeh0l55dgxRPYxPWL6okWXdRVfxLg:fAeXQSWFcIVPgfPeOlaxRPYxBW
Threatray	66 similar samples on MalwareBazaar
TLSH	8E749D11B580C072D1A22830AA36EAB24C6E7C305D74968F77D83A795FB49D1E725F2F
Reporter	abuse_ch
Tags:	exe RevengeRAT Yahoo

abuse_ch

Malspam distributing unidentified malware:

HELO: sonic314-44.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.132.218
From: sunbumnin1@yahoo.com <sunbumnin1@yahoo.com>
Subject: ReOrder & Drawing Samples.pdf
Attachment: ReOrder & Drawing Samples.iso (contains "ReOrder & Drawing Samples.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

358

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/45775/

Detection(s):

PUA.Win.Downloader.Aiis-6803892-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Launching a process

Sending a UDP request

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Threat name:

Revenge RevengeRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/429346

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Detected Revenge RAT

Found RAT behaviour (information extraction to be send to C&C)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d/

Threat name:

Win32.Trojan.Wacatac

Status:

Malicious

First seen:

2020-08-14 10:07:04 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zldsn5vqxs3av5qqgou2lgxiq3xhizxwlyqbqxgujpsdzabynz6q._file

Verdict:

malicious

Similar samples:

09dc0634f467ebdef6a6094068a66d81f5af6577de7d6f1ed6da31c8e77195b2

299af7f15d174ff027a719a08a4fde2d269a5b90e2c2a41eea5fb7769d4b7f5e

87f6e7fcfc8e128ebeb584873aa61ede88aa020697743b38b6a35e12489d08d2

8eee7183404a9161fbabb05cb5b295649d79e911f1dea7b2abc3929a4d3dd80d

b92fe7309b229fc2894d3b10b0a9cd148fb1b4214bffb3b0bd16ef219f21f632

dcccd5e29b6209cec0a993bfa4e23c5635bf2edecf3cc3102b12ae1771e33eda

de35000537e325fd8ed05003a1114b71aa7366f23a6185c9d8133a3793673427

df48230380a555ceab5ec604e55d84b862de9f36ba2b0216d3897acde146586e

e6eda9918b257e317e921d294b903f9488929fe7ef2efc0955bd141d19e15855

f700e2d1915c46ceebc8ed4c2505e3a8f6f23d72f093aef5f1a3e2e50b8b85c2

+ 56 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

trojan family:revengerat

Link:

https://tria.ge/reports/200814-7qb2g93vb6/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RevengeRAT

Malware Config

C2 Extraction:

lordiyke.duckdns.org:2336

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso bd32b11e7ab2cecab2889b275fdd9ff7176f75d0e30f151d0f9a8a7960b4f629

exe cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d

(this sample)

Dropped by

MD5 c1871cb159b1cd38000e1f42b3a547ff

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 bd32b11e7ab2cecab2889b275fdd9ff7176f75d0e30f151d0f9a8a7960b4f629

Cape

Cape

https://www.capesandbox.com/analysis/45775/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample