revengerat | 0592fd7640b20937bb288c44e06d924daa1e3397f55b54440a7c12e7979d8e48 | Triage

Submit
Reports

Overview

overview

Static

static

0fdf328426...18.exe

windows7-x64

0fdf328426...18.exe

windows10-2004-x64

8

Sharing

General

Target

0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118
Size

598KB
Sample

240625-25grdssamr
MD5

0fdf328426ecf86ef63b76949fd208fc
SHA1

4e1c12e0108a6e82ab112e618cd1cde5eb04cbf2
SHA256

0592fd7640b20937bb288c44e06d924daa1e3397f55b54440a7c12e7979d8e48
SHA512

4b669582aece23c54c95b3cb5e4f077849e13e4b2aff323a010fa4f0a7aa0d025feadeb76385857a0269c5730877ccc3cdbec529d2fad915efcedea013871f08
SSDEEP

6144:twwD6UiF6ojFnFeVZLHrwwDgUiF6ojFnFeVZL8+nOj0FZOUxku0GzTVowvYy:mC44UefsCu4UefFVXTmRy

Score

10^/10

revengerat evasion persistence stealer

Static task

static1

stealer revengerat

3 signatures

Behavioral task

behavioral1

Sample

0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe

Resource

win7-20240220-en

evasion persistence

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118.exe

Resource

win10v2004-20240508-en

evasion persistence

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
283105420

Targets

- Target
  
  0fdf328426ecf86ef63b76949fd208fc_JaffaCakes118
- Size
  
  598KB
- MD5
  
  0fdf328426ecf86ef63b76949fd208fc
- SHA1
  
  4e1c12e0108a6e82ab112e618cd1cde5eb04cbf2
- SHA256
  
  0592fd7640b20937bb288c44e06d924daa1e3397f55b54440a7c12e7979d8e48
- SHA512
  
  4b669582aece23c54c95b3cb5e4f077849e13e4b2aff323a010fa4f0a7aa0d025feadeb76385857a0269c5730877ccc3cdbec529d2fad915efcedea013871f08
- SSDEEP
  
  6144:twwD6UiF6ojFnFeVZLHrwwDgUiF6ojFnFeVZL8+nOj0FZOUxku0GzTVowvYy:mC44UefsCu4UefFVXTmRy
Score

10^/10

evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Replication Through Removable Media

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

stealerrevengerat

behavioral1

evasionpersistence

behavioral2

evasionpersistence

© 2018-2024

Terms | Privacy