MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d63a555e3ad016c4ae07c5511224585d858d9f8f4fc07a8d58d739a974b29bd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d63a555e3ad016c4ae07c5511224585d858d9f8f4fc07a8d58d739a974b29bd4
SHA3-384 hash: 8d507fb6c953485ce82c8f8de848c0e9db1d755f36a53336f2052ac62cdc5697370e504c5943c32fcffb6bf950753845
SHA1 hash: f92fd82db5475647f9f8e2a4ab26235a449b2c49
MD5 hash: 7f97e2018da7ee85772a8e4a8c7180ee
humanhash: three-autumn-hydrogen-music
File name:7F97E2018DA7EE85772A8E4A8C7180EE.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:370'944 bytes
First seen:2021-07-09 23:50:32 UTC
Last seen:2021-07-10 01:02:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'799 x AgentTesla, 19'718 x Formbook, 12'278 x SnakeKeylogger)
ssdeep 6144:t6tYGmU0cmapCiV99LZKF5pythuGy+EUrtrRjsbHkOwMMQLbCMJX/YBjHG:/GnpFoTcrEJUxrRjsIJMMQLb/YdHG
Threatray 367 similar samples on MalwareBazaar
TLSH T17484F14E4EFD0270E1A696B2B8B6F4008BB2626F5814C94CB88D860B1B777D55357F3B
Reporter abuse_ch
Tags:exe RevengeRAT


Avatar
abuse_ch
RevengeRAT C2:
142.202.190.36:2404

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
142.202.190.36:2404 https://threatfox.abuse.ch/ioc/159452/

Intelligence

File Origin
# of uploads :
2
# of downloads :
989
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7F97E2018DA7EE85772A8E4A8C7180EE.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-09 23:52:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f7a9990c-bfaa-4a28-8d30-5db8e37493bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170745/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46591304.18922.9916.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fcccdf19-a3b4-456a-866c-56a171e9397d
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/814246
Signature
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446657 Sample: bsvu5KHlFz.exe Startdate: 10/07/2021 Architecture: WINDOWS Score: 96 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected RevengeRAT 2->42 44 5 other signatures 2->44 7 bsvu5KHlFz.exe 1 8 2->7         started        process3 file4 26 C:\Users\user\AppData\...\bsvu5KHlFz.exe, PE32 7->26 dropped 28 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\Adobe Acrobat.exe, PE32 7->30 dropped 32 3 other malicious files 7->32 dropped 46 Creates an undocumented autostart registry key 7->46 48 Writes to foreign memory regions 7->48 50 Injects a PE file into a foreign processes 7->50 11 bsvu5KHlFz.exe 7->11         started        14 bsvu5KHlFz.exe 2 7->14         started        17 AdvancedRun.exe 1 7->17         started        19 AdvancedRun.exe 1 7->19         started        signatures5 process6 dnsIp7 52 Multi AV Scanner detection for dropped file 11->52 54 Machine Learning detection for dropped file 11->54 36 hpdndbnb.duckdns.org 142.202.190.36, 2404, 49734, 49743 DYNUUS Reserved 14->36 21 AdvancedRun.exe 17->21         started        24 AdvancedRun.exe 19->24         started        signatures8 process9 dnsIp10 34 192.168.2.1 unknown unknown 21->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d63a555e3ad016c4ae07c5511224585d858d9f8f4fc07a8d58d739a974b29bd4/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-07 00:52:23 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2y5fkxr22almjlqhyvirejcylwcy3h4pj7ahvdky2442s5fstpka._file
Verdict:
malicious
Similar samples:
20c348d09305a7aff80b3967175a4f7a3c7debfa8a9ae7fbf3dc4bf31f0ec9f6
RevengeRAT
3ed17d1df70b71852be2335f91bdfe20cd4a319a7d22d407e6e82a8dbe91bc5f
RevengeRAT
4065ef6148d82e9b20fb8fb21b7969636fdc0218259f069adffabd3b2882cc81
RevengeRAT
7868ece7b29dcba357ff00b1e0394b6e8062eae5512c08a0dea575c2d4f55230
RevengeRAT
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
RevengeRAT
a576dd4d6b216109bf7044bc90ebd70a2205bffb43272b28f8f112b480eecea5
RevengeRAT
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
RevengeRAT
f0aec42c4adf98c914904d1fd3db75d1db56591088f12e27849cbc427aaf6c7d
RevengeRAT
+ 357 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat botnet:nyancatrevenge persistence trojan
Link:
https://tria.ge/reports/210709-xrnpqg8rhj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Modifies WinLogon for persistence
RevengeRAT
Malware Config
C2 Extraction:
hpdndbnb.duckdns.org:2404
Unpacked files
SH256 hash:
f48f27b67dcc1db86a11f102f03c3d5caf27afde6f7f4727bbde2ce88224bb34
MD5 hash:
20a411cfc9a28dd57992bfb3e2886970
SHA1 hash:
8c954c179245823a0bdc03b5afb369049ea6f78d
Detections:
win_revenge_rat_g2
Create hunting rule
Link:
https://www.unpac.me/results/e3e82d9d-7681-4e66-9104-c18669ed2645/
SH256 hash:
852c57a6926054e859f1e007ef28113847ea6c39c950a43323aaadbaafd8cfcf
MD5 hash:
0043d9a6b48883e9e0b666a6348f3ac6
SHA1 hash:
de441b70d41deedf97afe294b18985be4fac56a4
Link:
https://www.unpac.me/results/e3e82d9d-7681-4e66-9104-c18669ed2645/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/e3e82d9d-7681-4e66-9104-c18669ed2645/
SH256 hash:
55630c74187cf870481711a5d30084f5ba6e2eafa71a9a382c6935a1b0ba1906
MD5 hash:
9707e546ea1172650913c851f9480be3
SHA1 hash:
440affb03494cbc878417ca96bb12b1c01c767a6
Link:
https://www.unpac.me/results/e3e82d9d-7681-4e66-9104-c18669ed2645/
SH256 hash:
d63a555e3ad016c4ae07c5511224585d858d9f8f4fc07a8d58d739a974b29bd4
MD5 hash:
7f97e2018da7ee85772a8e4a8c7180ee
SHA1 hash:
f92fd82db5475647f9f8e2a4ab26235a449b2c49
Link:
https://www.unpac.me/results/e3e82d9d-7681-4e66-9104-c18669ed2645/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d63a555e3ad016c4ae07c5511224585d858d9f8f4fc07a8d58d739a974b29bd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0ddeb53f957337fbeaf98c4a615b149d
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170745/

Comments