MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RevengeRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf
SHA3-384 hash: 9f547cd9243358d2888814c500e3dfad9102a26d7f8147063dbc22789e6049127d791472284d64e5119b0e05d25636cb
SHA1 hash: 13962c04bafe361466cce63abd389f9ce149debb
MD5 hash: df85f50f72f850fb70d6464e17053c4a
humanhash: white-music-lactose-avocado
File name:df85f50f72f850fb70d6464e17053c4a.exe
Download: download sample
Signature RevengeRAT
Create hunting rule
File size:24'008 bytes
First seen:2020-12-19 12:40:00 UTC
Last seen:2020-12-19 14:33:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:F85kvS1GRQIu0yVFjFMN3Ib12uSy75chDgf2h2W:G5kvSTIAFMOb3SEWhUf2hv
Threatray 58 similar samples on MalwareBazaar
TLSH E1B22B698BCB4C03F5FDE6701787C2E04BA6DBC3B07296AFA4D8C4755582AD434252F9
Reporter abuse_ch
Tags:exe RevengeRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'504
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
df85f50f72f850fb70d6464e17053c4a.exe
Verdict:
Malicious activity
Analysis date:
2020-12-19 12:46:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/923bb5b7-a068-40f5-b460-863dd2b1dd69

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108548/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.10.Gen.28858.21949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Unauthorized injection to a recently created process
Creating a file
Connection attempt
Sending a UDP request
Creating a file in the %AppData% directory
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RevengeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/566784
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RevengeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332475 Sample: s5OrBx3p7e.exe Startdate: 19/12/2020 Architecture: WINDOWS Score: 100 85 trabsonrx.duckdns.org 2->85 87 hastebin.com 2->87 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for dropped file 2->107 109 Multi AV Scanner detection for dropped file 2->109 111 8 other signatures 2->111 9 s5OrBx3p7e.exe 15 4 2->9         started        14 s5OrBx3p7e.exe 3 2->14         started        16 System32.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 101 hastebin.com 104.24.127.89, 443, 49727, 49734 CLOUDFLARENETUS United States 9->101 83 C:\Users\user\AppData\...\s5OrBx3p7e.exe.log, ASCII 9->83 dropped 115 Drops script or batch files to the startup folder 9->115 117 Drops VBS files to the startup folder 9->117 119 Drops PE files to the startup folder 9->119 20 s5OrBx3p7e.exe 2 17 9->20         started        24 cmd.exe 1 9->24         started        121 Injects a PE file into a foreign processes 14->121 26 cmd.exe 1 14->26         started        28 s5OrBx3p7e.exe 14->28         started        30 s5OrBx3p7e.exe 14->30         started        32 s5OrBx3p7e.exe 14->32         started        34 s5OrBx3p7e.exe 16->34         started        37 s5OrBx3p7e.exe 18->37         started        file6 signatures7 process8 dnsIp9 89 trabsonrx.duckdns.org 188.250.245.239, 5000 MEO-RESIDENCIALPT Portugal 20->89 73 C:\Users\user\AppData\Roaming\System32, PE32 20->73 dropped 75 C:\Users\user\AppData\Roaming\...\System32, PE32 20->75 dropped 77 C:\Users\user\AppData\...\System32.vbs, ASCII 20->77 dropped 79 C:\Users\user\AppData\Roaming\...\System32.js, ASCII 20->79 dropped 39 vbc.exe 6 20->39         started        43 schtasks.exe 1 20->43         started        45 conhost.exe 24->45         started        47 timeout.exe 1 24->47         started        49 conhost.exe 26->49         started        51 timeout.exe 26->51         started        91 104.24.126.89, 443, 49737, 49743 CLOUDFLARENETUS United States 34->91 93 hastebin.com 34->93 103 Injects a PE file into a foreign processes 34->103 53 cmd.exe 34->53         started        55 s5OrBx3p7e.exe 34->55         started        95 172.67.143.180, 443, 49739, 49741 CLOUDFLARENETUS United States 37->95 97 192.168.2.1 unknown unknown 37->97 99 hastebin.com 37->99 57 cmd.exe 37->57         started        file10 signatures11 process12 file13 81 C:\Users\user\AppData\...\System32.exe, PE32 39->81 dropped 113 Drops PE files to the startup folder 39->113 59 conhost.exe 39->59         started        61 cvtres.exe 1 39->61         started        63 conhost.exe 43->63         started        65 conhost.exe 53->65         started        67 timeout.exe 53->67         started        69 conhost.exe 57->69         started        71 timeout.exe 57->71         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf/
Threat name:
ByteCode-MSIL.Backdoor.RevengeRAT
Create hunting rule
Status:
Malicious
First seen:
2020-12-16 13:32:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
460cca0f6a1acc665e76da5539844db4fd042761cbe9641a2b9fb663a322a3ab
RevengeRAT
7af6be720f63c86de10443745e332a5717aa9b14fa3e8ecca584ef370f2080da
RevengeRAT
7cf96df65a9ae5e9c54e3716b802260854b93d0cdf5686d49630204c3576bb78
RevengeRAT
a324263f8734bb62ba035022d5533419994482ccd63f8adbf717ae52a9c2e6e1
RevengeRAT
d85497f61b07d8f8cc30c3c66ab21883a0274c7a3e7bc982a3a622ca2eed39a4
RevengeRAT
e0287568096f94034a8746adef8f4c08db4ef5f51134f90740b1c72eb1b1eb0b
RevengeRAT
e44ea6095036b15910c82941c0c3af5178687d3deeb9954adf9967cd833b9349
RevengeRAT
e72478765908b84f150ef0b7e895cfca0780a9107de6cf819ec5715f6f179acd
RevengeRAT
ed5c6f06e459285fa5e621026be965558add0841e7426ecee6d3e41d5e9b9761
RevengeRAT
edcf2ab0937689a7e0475395a8654f874e413649ee63100e61c4d1a8c09ba681
RevengeRAT
+ 48 additional samples on MalwareBazaar
Result
Malware family:
revengerat
Create hunting rule
Score:
  10/10
Tags:
family:revengerat stealer trojan
Link:
https://tria.ge/reports/201219-jfvpjlegva/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
RevengeRat Executable
RevengeRAT
Unpacked files
SH256 hash:
fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf
MD5 hash:
df85f50f72f850fb70d6464e17053c4a
SHA1 hash:
13962c04bafe361466cce63abd389f9ce149debb
Link:
https://www.unpac.me/results/aa2a3afa-b0b6-4d64-b90e-d1d58628d80a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe614080646708a020532d8dac57d96767d07ac9f605e86ba306dbfd8f9d51cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/108548/

Comments