MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5223d2f96963acd0f798655baadb74bb1260b1342e2839bceadc0daba6c5f78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	e5223d2f96963acd0f798655baadb74bb1260b1342e2839bceadc0daba6c5f78
SHA3-384 hash:	e2a9e2696acd13808e47dea3ead5cc0ee3b14e955112cdaa1bfc70d73805ffbeac98efec627881faa104d90bee832497
SHA1 hash:	472dcc8685cd8ec76f47ba91f87f2bbb8852721e
MD5 hash:	3f6c9f05bf208a082ffbc1786347abd7
humanhash:	carpet-foxtrot-earth-mexico
File name:	e5223d2f96963acd0f798655baadb74bb1260b1342e2839bceadc0daba6c5f78
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	1'114'136 bytes
First seen:	2020-11-12 14:14:42 UTC
Last seen:	2024-07-24 22:25:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:IvWQf06hA40oChkJVzWa7npqKp6hpKNAaQC:Zd2zCmJtWa7806OYC
Threatray	98 similar samples on MalwareBazaar
TLSH	1735CE2273DDC3A0CB669073BF69B7016E7B78650670B85B2F981D7CA960171163CBA3
Reporter	seifreed
Tags:	RevengeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

886

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Adding an access-denied ACE

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Connection attempt to an infection source

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e5223d2f96963acd0f798655baadb74bb1260b1342e2839bceadc0daba6c5f78/

Threat name:

Win32.Trojan.Acapulco

Status:

Malicious

First seen:

2020-11-12 14:17:43 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4urd2l4wsy5m2d3zqzk3vlnxjoysmcytilrihg6ovxanvotml54a._file

Verdict:

malicious

RevengeRAT

116fa0f553b0b761790ed3c66cc2d03d05adf61a0a79ad88b28109527a2c4eba

RevengeRAT

31b10f1a4a6bb1e74af48d786c3c5957d1fdde4307adb24d5cbf06f278fc18ae

RevengeRAT

58b1cda0eed6c9fd00225e9928aa2e2c98d3fb6c78d2bc732507bdc080c6b47f

RevengeRAT

7bf399fd2232c77977014fb0089ee9c6b987c8833a6dbfbd33ec5c5e2c34ee6e

RevengeRAT

8eee7183404a9161fbabb05cb5b295649d79e911f1dea7b2abc3929a4d3dd80d

RevengeRAT

a0cfcc96d6892c6416c98bd378714d5efc811d8f3dfbf97c1b84632a3db3d2f2

RevengeRAT

a3933aa9648e59e45b51efdc1b646577b1ea9ca2bf2c0bfab51b9ba7cab362cb

RevengeRAT

b4d24111027d99bd0e7782a91122b314a5d032b1c1e328661924fde5cdf0713b

RevengeRAT

ed7c7b0532ef7edc3a22795f2d5d60cbd7c7a3ffda4f1810e3b8295ca2fe0bf5

RevengeRAT

+ 88 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat botnet:guest stealer trojan

Link:

https://tria.ge/reports/201112-n1xp2ynghj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Drops startup file

RevengeRat Executable

RevengeRAT

Malware Config

C2 Extraction:

178.17.174.71:3310

Unpacked files

SH256 hash:

e5223d2f96963acd0f798655baadb74bb1260b1342e2839bceadc0daba6c5f78

MD5 hash:

3f6c9f05bf208a082ffbc1786347abd7

SHA1 hash:

472dcc8685cd8ec76f47ba91f87f2bbb8852721e

Link:

https://www.unpac.me/results/92df0e67-b70c-4e88-aa18-8d598f9f042d/

SH256 hash:

0142e023c883fb1f4e242f9d0c3da6471843350752ed0d1ae003f2dfcd1d7a36

MD5 hash:

6395f1633cae09af454fafb6566939f1

SHA1 hash:

6b1932cb14d5b6d25d669b82d7cf6dfa44e120fc

Detections:

win_revenge_rat_g2

Link:

https://www.unpac.me/results/92df0e67-b70c-4e88-aa18-8d598f9f042d/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	MALWARE_Win_RevengeRAT Create hunting rule
Author:	ditekSHen
Description:	RevengeRAT and variants payload

Rule name:	RevengeRAT_Sep17 Create hunting rule
Author:	Florian Roth
Description:	Detects RevengeRAT malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample