MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb7392139a115fcf8e9f741d3187d5bdb682be4f7babc52e9fcd6bd6fc897c31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb7392139a115fcf8e9f741d3187d5bdb682be4f7babc52e9fcd6bd6fc897c31
SHA3-384 hash: 1c77cc044e67f0aef4a6f55ba68b569f0f376ef3e3de934518f02aa065e6cdf749e168d7775a511ca97ca4cb34b39a4e
SHA1 hash: 53d833a9b6238247ae63deb0bbaeb1264c3dbffc
MD5 hash: 6631fd90c648d10b65e4778010c7c2fb
humanhash: batman-oranges-zebra-sweet
File name:FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:22'597'632 bytes
First seen:2023-01-29 17:10:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 393216:tq5jjbBR1Ha+LAkVcPjvdgcKCqNSLIWURm/UHFo6FkhC:qBR1HDNOPJgcKCHhsHFDz
Threatray 2'997 similar samples on MalwareBazaar
TLSH T1073733AAC55311C18818B3B457F1FBAF748B823916865A3A9E15C837F9958FD0B80CFD
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4505/5/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon ccccd4ccf0b2aab2 (1 x RevengeRAT)
Reporter abuse_ch
Tags:exe RevengeRAT


Avatar
abuse_ch
RevengeRAT C2:
141.255.151.121:2222

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
revenge
Create hunting rule
ID:
1
File name:
FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe
Verdict:
Malicious activity
Analysis date:
2023-01-29 17:11:10 UTC
Tags:
trojan rat revenge
Link:
https://app.any.run/tasks/474f3366-4ab1-4a20-a805-08b717c3e67d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Searching for synchronization primitives
DNS request
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a file
Enabling the 'hidden' option for recently created files
Creating a window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Moving a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Creating a file in the mass storage device
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63834/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
quasarrat
Link:
https://www.filescan.io/uploads/63d6a8a71c9cbf7d625433db/reports/1b8fb9db-c127-44ab-9836-d965bc476039/overview
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161104
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates multiple autostart registry keys
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 793836 Sample: FB7392139A115FCF8E9F741D318... Startdate: 29/01/2023 Architecture: WINDOWS Score: 100 86 amazon.capeturk.com 2->86 134 Snort IDS alert for network traffic 2->134 136 Multi AV Scanner detection for domain / URL 2->136 138 Malicious sample detected (through community Yara rule) 2->138 140 13 other signatures 2->140 10 FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe 3 2->10         started        13 svchost.exe 2->13 injected 15 svchost.exe 2->15         started        19 11 other processes 2->19 signatures3 process4 dnsIp5 82 C:\Users\user\AppData\Local\Temp\fix.exe, PE32 10->82 dropped 84 C:\Users\user\AppData\Local\Temp\Client.exe, PE32 10->84 dropped 21 fix.exe 6 10->21         started        25 Client.exe 7 10->25         started        28 consent.exe 13->28         started        30 consent.exe 13->30         started        32 svchost.exe 13->32         started        38 4 other processes 13->38 116 capeturk.com 15->116 118 blogspot.l.googleusercontent.com 15->118 120 aaaabbbb-1000.blogspot.com 15->120 128 System process connects to network (likely due to code injection or exploit) 15->128 34 explorer.exe 15->34         started        122 blogspot.l.googleusercontent.com 19->122 124 blogspot.l.googleusercontent.com 19->124 126 2 other IPs or domains 19->126 130 Query firmware table information (likely to detect VMs) 19->130 132 Changes security center settings (notifications, updates, antivirus, firewall) 19->132 36 MpCmdRun.exe 19->36         started        file6 signatures7 process8 dnsIp9 64 C:\Users\user\Desktop\fix .exe, PE32+ 21->64 dropped 66 C:\Users\user\AppData\Local\Temp\Setup.exe, PE32 21->66 dropped 142 Antivirus detection for dropped file 21->142 144 Multi AV Scanner detection for dropped file 21->144 146 Machine Learning detection for dropped file 21->146 40 Setup.exe 1 5 21->40         started        44 fix .exe 21->44         started        47 Setup.exe 21->47         started        94 uogapk7.ddns.net 25->94 68 C:\...\Microsoft .Net Framework Servcies.exe, PE32 25->68 dropped 49 Microsoft .Net Framework Servcies.exe 4 7 25->49         started        148 Writes to foreign memory regions 28->148 96 capeturk.com 32->96 98 blogspot.l.googleusercontent.com 34->98 100 aaaabbbb-1000.blogspot.com 34->100 51 conhost.exe 36->51         started        file10 signatures11 process12 dnsIp13 72 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 40->72 dropped 160 Antivirus detection for dropped file 40->160 162 Multi AV Scanner detection for dropped file 40->162 164 Machine Learning detection for dropped file 40->164 166 Drops PE files with benign system names 40->166 53 svchost.exe 40->53         started        102 unknowned.tk 44->102 74 C:\Users\user\Desktop\...\SQLite.Interop.dll, PE32 44->74 dropped 76 C:\Users\user\Desktop\...\SQLite.Interop.dll, PE32+ 44->76 dropped 78 C:\Users\user\AppData\Local\Temp\evbF4C.tmp, PE32 44->78 dropped 80 15 other malicious files 44->80 dropped 104 uogapk8.ddns.net 49->104 106 uogapk17.ddns.net 49->106 108 10 other IPs or domains 49->108 168 Creates multiple autostart registry keys 49->168 58 wscript.exe 49->58         started        file14 170 Uses dynamic DNS services 106->170 signatures15 process16 dnsIp17 88 capeturk.com 144.126.144.223, 49714, 49716, 49719 LOYOLAUS United States 53->88 90 blogspot.l.googleusercontent.com 142.250.203.97, 443, 49717, 49720 GOOGLEUS United States 53->90 92 aaaabbbb-1000.blogspot.com 53->92 70 C:\Users\user\AppData\...\explorer.exe, PE32 53->70 dropped 150 Antivirus detection for dropped file 53->150 152 System process connects to network (likely due to code injection or exploit) 53->152 154 Multi AV Scanner detection for dropped file 53->154 158 3 other signatures 53->158 60 explorer.exe 53->60         started        156 Tries to harvest and steal browser information (history, passwords, etc) 58->156 file18 signatures19 process20 dnsIp21 110 amazon.capeturk.com 85.209.87.138, 100, 49721, 49725 UNREAL-SERVERSUS Netherlands 60->110 112 192.168.2.1 unknown unknown 60->112 114 2 other IPs or domains 60->114 172 Antivirus detection for dropped file 60->172 174 System process connects to network (likely due to code injection or exploit) 60->174 176 Multi AV Scanner detection for dropped file 60->176 178 Machine Learning detection for dropped file 60->178 signatures22
Gathering data
Threat name:
Win32.Trojan.ExNuma
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 18:27:36 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7nzzee42cfp47du7oqotdb6vxw3ifpsppov4klu7zvv5n7ejpqyq._file
Verdict:
malicious
Similar samples:
0479683ff6d420fc73b1b229615dce2b94d896ca839747e2c7ca94a258b8ccfd
RevengeRAT
0bcefc750b7a3dfe918f01bccb772545e9837ee711e56c72478066b97861d023
RevengeRAT
29d618275b93ef6ee9276495f0374485909d206e1c3033f6b83298cbdbf907d6
RevengeRAT
2f5d5ebb1081dde3e9314ebbc61466f3686361d356f881533725d6fbf0002aa8
RevengeRAT
31f592fe907e40b27c458ccdfc613b212623f93a5a57c063f15cf2dcce9c93c6
RevengeRAT
3bccf05eee144854cca885ab816b75f6ce8135dd35792c6fd4470d4f7dbf9d1e
RevengeRAT
5a6f5d425060a2bfc152e1c2673991151e8863354deb3c4febd60ce42a80f35e
RevengeRAT
5b97dac5b556f97822f278cd3110dc70ec347bfc624d09d204489b21e554af46
RevengeRAT
+ 2'987 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat persistence stealer trojan
Link:
https://tria.ge/reports/230129-vp9c5seh27/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
RevengeRat Executable
RevengeRAT
Malware family:
RevengeRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fb7392139a11/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/fb7392139a115fcf8e9f741d3187d5bdb682be4f7babc52e9fcd6bd6fc897c31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments