MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfda2a6482436d52c205dc4f8e33b9d8789204c967ac948f654ee04928639638. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	dfda2a6482436d52c205dc4f8e33b9d8789204c967ac948f654ee04928639638
SHA3-384 hash:	3024682a0772201d577ead73d3741b781087fa7ef06b6c226840f5304506258ae5e43204cb825c345d6d2c446c9a9695
SHA1 hash:	b2734b24c3df3b6dbcc6b293d12528be46900726
MD5 hash:	fbdf4287d046c463794a71b9a01e8d33
humanhash:	quebec-mexico-winter-island
File name:	SuJFLtPM.exe
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	16'896 bytes
First seen:	2021-01-11 19:02:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep	384:IWfmjvKlVTl+6xx/9oDPlMNcLlb5sVKH/y+5Ct:IWfmjvKlVtLclMNET7o
Threatray	109 similar samples on MalwareBazaar
TLSH	0172F89777F4A922C1BD23BD442221156B75934F9A20CF6E19E580FBB7A33C5AAC02D1
Reporter	pmelson
Tags:	exe Revenge RevengeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

1'442

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SuJFLtPM.exe

Verdict:

Malicious activity

Analysis date:

2021-01-11 19:02:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/50ab6fcc-3b9d-4c57-b7e0-19f32b329239

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RevengeRAT

Link:

https://www.capesandbox.com/analysis/111342/

Detection(s):

Win.Trojan.RevengeRat-6344273-0

Win.Malware.Zusy-6804067-0

Win.Dropper.LimeRAT-9776087-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a UDP request

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Revenge RevengeRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/578335

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Detected Revenge RAT

Detected unpacking (overwrites its own PE header)

Found RAT behaviour (information extraction to be send to C&C)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

revengerat

Link:

https://mwdb.cert.pl/sample/dfda2a6482436d52c205dc4f8e33b9d8789204c967ac948f654ee04928639638/

Threat name:

Win32.Backdoor.RevengeRAT

Status:

Malicious

First seen:

2021-01-11 19:03:05 UTC

AV detection:

38 of 46 (82.61%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=37ncuzecinwvfqqf3rhy4m5z3b4jebgjm6wjjd3fj3qeskddsy4a._file

Verdict:

malicious

RevengeRAT

291bf31470c9bcacec467c980adb7a3d111ebb6b72cf07147884a7eae5cabde9

RevengeRAT

2dd6421f948f25090a18784cab9348d5f5ab04b5b84a386f4ef7a70b19c61236

RevengeRAT

56e5859ed8dc27386e209b3cd4959be7c76c33b0b59deb8e4449cf23e99d4cbc

RevengeRAT

7bf399fd2232c77977014fb0089ee9c6b987c8833a6dbfbd33ec5c5e2c34ee6e

RevengeRAT

8efd6f95c39e86627b1f9cc553fa7bed152dbf4788662bee15d3b5bdf0c1b79e

RevengeRAT

b523a7038662d534bd80af942685562a66e6364bf0fbf68aecf9f1131363543d

RevengeRAT

b92fe7309b229fc2894d3b10b0a9cd148fb1b4214bffb3b0bd16ef219f21f632

RevengeRAT

cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d

RevengeRAT

ed7c7b0532ef7edc3a22795f2d5d60cbd7c7a3ffda4f1810e3b8295ca2fe0bf5

RevengeRAT

+ 99 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat botnet:guest stealer

Link:

https://tria.ge/reports/210111-vffqyhrehs/

Behaviour

Suspicious use of AdjustPrivilegeToken

Malware Config

C2 Extraction:

hacker64033.duckdns.org:57846

Unpacked files

SH256 hash:

dfda2a6482436d52c205dc4f8e33b9d8789204c967ac948f654ee04928639638

MD5 hash:

fbdf4287d046c463794a71b9a01e8d33

SHA1 hash:

b2734b24c3df3b6dbcc6b293d12528be46900726

Detections:

win_revenge_rat_g2

Link:

https://www.unpac.me/results/a72a070b-7843-4d3f-9845-ae889d7366fd/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

RevengeRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/dfda2a6482436d52c205dc4f8e33b9d8789204c967ac948f654ee04928639638

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RevengeRAT Create hunting rule
Author:	ditekSHen
Description:	RevengeRAT and variants payload

Rule name:	RevengeRAT_Sep17 Create hunting rule
Author:	Florian Roth
Description:	Detects RevengeRAT malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RevengeRAT

exe dfda2a6482436d52c205dc4f8e33b9d8789204c967ac948f654ee04928639638

(this sample)

Link

https://www.virustotal.com/gui/file/dfda2a6482436d52c205dc4f8e33b9d8789204c967ac948f654ee04928639638/detection

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/111342/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample