MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6b2c58f9846adcb295edd3c8a5beaec31fff3bc98f6503d04e95be3f9f072e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 12

Intelligence 12 IOCs 1 YARA 3 File information Comments

SHA256 hash:	f6b2c58f9846adcb295edd3c8a5beaec31fff3bc98f6503d04e95be3f9f072e8
SHA3-384 hash:	dc747398619ad306188fcabd5206601a8a55a5cbc0c20568579d1b7f739d151a1f63c1e4088f032c829395d1d74f1681
SHA1 hash:	dfb3bfb53ce0430c8af1ee7b145408d63b1bec67
MD5 hash:	c25b797d6737751936766cd50e26d725
humanhash:	queen-failed-mango-single
File name:	f6b2c58f9846adcb295edd3c8a5beaec31fff3bc98f6503d04e95be3f9f072e8
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	24'576 bytes
First seen:	2022-03-31 14:49:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep	192:ET+8Pa9S8kjYTDGgbcp4LlpaSAfF9aEOnryD91ABkGxVXdqoNgRJw:ETP/jYTDGggp0a3fJWyDbAnxaoNr
Threatray	63 similar samples on MalwareBazaar
TLSH	T136B22A09B7DD4739C1BD07BC0DB342256375E5A39A62D70F1CD880EA8D52BD85B60BE8
Reporter	JAMESWT_WT
Tags:	exe RevengeRAT

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
45.147.230.231:2222	https://threatfox.abuse.ch/ioc/472629/

Intelligence

File Origin

# of uploads :

# of downloads :

556

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RevengeRAT

Link:

https://www.capesandbox.com/analysis/260180/

Detection(s):

Win.Packed.Razy-9645384-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm greyware limerat obfuscated packed razy revetrat

Link:

https://www.filescan.io/uploads/6245bf9d9253b276b7b49381/reports/03f2ec3a-723e-4202-af51-951ea9430206/overview

Malware family:

RevetRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a19b4539-ce3c-400d-970d-700c5b4a6c68

Result

Threat name:

RevengeRAT

Detection:

malicious

Classification:

troj.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/968432

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f6b2c58f9846adcb295edd3c8a5beaec31fff3bc98f6503d04e95be3f9f072e8/

Threat name:

ByteCode-MSIL.Backdoor.RevengeRAT

Status:

Malicious

First seen:

2022-03-30 04:10:08 UTC

AV detection:

33 of 41 (80.49%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=62zmld4yi2w4wkk63u6iuw7k5qy77454td3fapie5fn6h6pqolua._file

Verdict:

malicious

RevengeRAT

437a6cc11412d97bbcc791e3a68f9293fcf021f5770b1ba3f97efbb442496e94

RevengeRAT

54fe3682ed81da191c61ee8aced68014cd74fd021d3873dca8c8c74a754bf868

RevengeRAT

66bc28999e398e9ffcf4ff0f36c9b1be8aa85383aa067f574a6c7ac86502a072

RevengeRAT

708254cdf41cc083d542ecadbaddde76946d682fcb9feda7d36bcdde81798258

RevengeRAT

7648d6ed32626db79a637caa8f49a669487e1eb125dcd0670672896d512a8bc9

RevengeRAT

b1584e021f20a3fc1bdd989fd34f981c7cb57da76485780da9bb975f1333b342

RevengeRAT

c04ec7f7397f2fccbf7fd967a5aa4aeca57c17dc1dac557bbe405ca8423c35ee

RevengeRAT

e1552429cfd87856478c497f2d6fa7e175a140f5b882019fcce39a5557092578

RevengeRAT

ebe37e58ad73be76b4178d8b99d64c6505909113a9c3820f4aa2444bb551ef09

RevengeRAT

+ 53 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat botnet:mr_ahmed

Link:

https://tria.ge/reports/220331-r7jzeshfek/

Behaviour

Checks processor information in registry

Suspicious use of WriteProcessMemory

Malware Config

C2 Extraction:

45.147.230.231:2222

Unpacked files

SH256 hash:

f6b2c58f9846adcb295edd3c8a5beaec31fff3bc98f6503d04e95be3f9f072e8

MD5 hash:

c25b797d6737751936766cd50e26d725

SHA1 hash:

dfb3bfb53ce0430c8af1ee7b145408d63b1bec67

Detections:

win_revenge_rat_g2

Link:

https://www.unpac.me/results/7b2c4070-10fc-470b-a8a2-5f4eaeab5a1b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/f6b2c58f9846adcb295edd3c8a5beaec31fff3bc98f6503d04e95be3f9f072e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RevengeRAT Create hunting rule
Author:	ditekSHen
Description:	RevengeRAT and variants payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/Srujank48668412/status/1509520095068192780?s=20&t=bgrTQTnHhBcRFDf-9h4ixg

Cape

https://www.capesandbox.com/analysis/260180/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample