MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb2f8e8647060c64bd4710d21511c25ba8065797672341649d674dc92e6ed6d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RevengeRAT

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	fb2f8e8647060c64bd4710d21511c25ba8065797672341649d674dc92e6ed6d3
SHA3-384 hash:	dcdba9acd92d1b61e243b76530f9bbc2a8bd31305b064f178b88f210b2e3f8ad8dad59ade9cfb2b466fcfc1ff6baf50c
SHA1 hash:	7d34f1adf91dc0ca2c98aa730aba7338f2a7f788
MD5 hash:	b47b583fa4f107aa3c8b9b664e2a91ae
humanhash:	william-orange-avocado-eight
File name:	gd4jPvuZ.exe
Download:	download sample
Signature	RevengeRAT Create hunting rule
File size:	16'896 bytes
First seen:	2020-12-21 15:47:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'494 x Formbook, 12'214 x SnakeKeylogger)
ssdeep	384:0RFaXOq9VxP+uGL9oDPlMNcLlb5sVKeye5Ct:0RFaXOq9VEhclMNEUo
Threatray	105 similar samples on MalwareBazaar
TLSH	6572E7E777F4A912C0FC27BD442621156B75834FAA10CB5E19E984FBB7A33C1AAC02D1
Reporter	pmelson
Tags:	exe Revenge RevengeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

1'431

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.RevengeRat-6344273-0

Win.Malware.Zusy-6804067-0

Win.Dropper.LimeRAT-9776087-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Sending a UDP request

Creating a window

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Revenge RevengeRAT

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/567531

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Detected Revenge RAT

Found RAT behaviour (information extraction to be send to C&C)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected RevengeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

revengerat

Link:

https://mwdb.cert.pl/sample/fb2f8e8647060c64bd4710d21511c25ba8065797672341649d674dc92e6ed6d3/

Threat name:

Win32.Backdoor.RevengeRAT

Status:

Malicious

First seen:

2020-12-21 15:48:06 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7mxy5bshayggjpkhcdjbkeoclouamv4xm4rucze5m5g4slto23jq._file

Verdict:

malicious

RevengeRAT

291bf31470c9bcacec467c980adb7a3d111ebb6b72cf07147884a7eae5cabde9

RevengeRAT

2dd6421f948f25090a18784cab9348d5f5ab04b5b84a386f4ef7a70b19c61236

RevengeRAT

56e5859ed8dc27386e209b3cd4959be7c76c33b0b59deb8e4449cf23e99d4cbc

RevengeRAT

7bf399fd2232c77977014fb0089ee9c6b987c8833a6dbfbd33ec5c5e2c34ee6e

RevengeRAT

8efd6f95c39e86627b1f9cc553fa7bed152dbf4788662bee15d3b5bdf0c1b79e

RevengeRAT

b523a7038662d534bd80af942685562a66e6364bf0fbf68aecf9f1131363543d

RevengeRAT

b92fe7309b229fc2894d3b10b0a9cd148fb1b4214bffb3b0bd16ef219f21f632

RevengeRAT

cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d

RevengeRAT

ed7c7b0532ef7edc3a22795f2d5d60cbd7c7a3ffda4f1810e3b8295ca2fe0bf5

RevengeRAT

+ 95 additional samples on MalwareBazaar

Result

Malware family:

revengerat

Score:

10/10

Tags:

family:revengerat botnet:guest stealer

Link:

https://tria.ge/reports/201221-ksewct5npx/

Behaviour

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Malware Config

C2 Extraction:

2.tcp.ngrok.io:12510

Unpacked files

SH256 hash:

fb2f8e8647060c64bd4710d21511c25ba8065797672341649d674dc92e6ed6d3

MD5 hash:

b47b583fa4f107aa3c8b9b664e2a91ae

SHA1 hash:

7d34f1adf91dc0ca2c98aa730aba7338f2a7f788

Detections:

win_revenge_rat_g2

Link:

https://www.unpac.me/results/e354b683-fb33-4a8d-a776-19aa9bca098a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

RevengeRAT

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fb2f8e8647060c64bd4710d21511c25ba8065797672341649d674dc92e6ed6d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_RevengeRAT Create hunting rule
Author:	ditekshen
Description:	RevengeRAT and variants payload

Rule name:	RevengeRAT_Sep17 Create hunting rule
Author:	Florian Roth
Description:	Detects RevengeRAT malware
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RevengeRAT

exe fb2f8e8647060c64bd4710d21511c25ba8065797672341649d674dc92e6ed6d3

(this sample)

Link

https://www.virustotal.com/gui/file/fb2f8e8647060c64bd4710d21511c25ba8065797672341649d674dc92e6ed6d3/detection

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample