MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f
SHA3-384 hash:	f187dc959c88795713b36922b3c100c136f1582bd56c7ada91fb152e1635be1d5aa3799762a959aa363328fdf76cce99
SHA1 hash:	69bbd9984c2506d983730e31e060636fd589134c
MD5 hash:	b673b67c3aabf040db0565b1db1d81e3
humanhash:	apart-single-lamp-sixteen
File name:	cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	114'024 bytes
First seen:	2021-02-28 07:03:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:/EBpUBL4CKb2WBfsfWl/mNkdof54cEfJPx:/EByBMCKaWfsfW5iw
Threatray	61 similar samples on MalwareBazaar
TLSH	CCB3C0409A805AC7DC98AD3497C6F5F21B366DFFC96D0A1718C835233EB53C99B14AAC
Reporter	JAMESWT_WT
Tags:	RevengeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

1'209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f

Verdict:

Suspicious activity

Analysis date:

2021-02-28 07:04:31 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b353e249-42bd-4081-b6e3-4eca796180d2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RevengeRAT

Link:

https://www.capesandbox.com/analysis/119733/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Sending a UDP request

Enabling the 'hidden' option for analyzed file

DNS request

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RevengeRAT

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/621276

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f/

Threat name:

ByteCode-MSIL.Infostealer.Azorult

Status:

Malicious

First seen:

2021-02-25 15:10:24 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=z6l2qv2ipf36oq2jhi6y2b35hsxneayavbw2c3otoxpgct56lz7q._file

Verdict:

malicious

RevengeRAT

7af6be720f63c86de10443745e332a5717aa9b14fa3e8ecca584ef370f2080da

RevengeRAT

7cf96df65a9ae5e9c54e3716b802260854b93d0cdf5686d49630204c3576bb78

RevengeRAT

d85497f61b07d8f8cc30c3c66ab21883a0274c7a3e7bc982a3a622ca2eed39a4

RevengeRAT

e0287568096f94034a8746adef8f4c08db4ef5f51134f90740b1c72eb1b1eb0b

RevengeRAT

e44ea6095036b15910c82941c0c3af5178687d3deeb9954adf9967cd833b9349

RevengeRAT

e72478765908b84f150ef0b7e895cfca0780a9107de6cf819ec5715f6f179acd

RevengeRAT

ed5c6f06e459285fa5e621026be965558add0841e7426ecee6d3e41d5e9b9761

RevengeRAT

edcf2ab0937689a7e0475395a8654f874e413649ee63100e61c4d1a8c09ba681

RevengeRAT

fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf

RevengeRAT

+ 51 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat stealer trojan

Link:

https://tria.ge/reports/210228-psca76fz56/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

RevengeRat Executable

RevengeRAT

Unpacked files

SH256 hash:

da55f2013982403756f5a274b5562b37bf971b4fb385c2f47e413268b0fd8630

MD5 hash:

b80e2ebe3ce71ccfb6b6bb6cee618042

SHA1 hash:

7eaa35944dc42f5e5395c31025e5fee10e9e2e81

Link:

https://www.unpac.me/results/a317c724-c6e1-422d-9b86-82183d083f72/

SH256 hash:

c16fc0e4fb3757cda0c6ecdba05dd10fc8eb5c43812abb20aebf63c17586a319

MD5 hash:

07de6f5c579bd07747976e05d3e488c5

SHA1 hash:

5eae984b046070b92e1164bcb4d30a898a6437b9

Link:

https://www.unpac.me/results/a317c724-c6e1-422d-9b86-82183d083f72/

SH256 hash:

cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f

MD5 hash:

b673b67c3aabf040db0565b1db1d81e3

SHA1 hash:

69bbd9984c2506d983730e31e060636fd589134c

Link:

https://www.unpac.me/results/a317c724-c6e1-422d-9b86-82183d083f72/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/cf97a857487977e743493a3d8d077d3caed20300a86da16dd375de614fbe5e7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_NyanXCat_CSharpLoader Create hunting rule
Author:	ditekSHen
Description:	Detects .NET executables utilizing NyanX-CAT C# Loader

Rule name:	RevengeRAT_Sep17 Create hunting rule
Author:	Florian Roth
Description:	Detects RevengeRAT malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/119733/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample