revengerat | b46cfe9a77b661bd8a3202261f14afdf9947b0b9fee4a521fd9416bd608f7b89 | Triage

Submit
Reports

Overview

overview

Static

static

0be9d9ecce...18.exe

windows7-x64

0be9d9ecce...18.exe

windows10-2004-x64

Sharing

General

Target

0be9d9ecce9c762cf980963d33d1fa8d_JaffaCakes118
Size

141KB
Sample

240625-cbzbxavare
MD5

0be9d9ecce9c762cf980963d33d1fa8d
SHA1

a102c25f6bb4d4d50bb05dc93afa4c388f81c339
SHA256

b46cfe9a77b661bd8a3202261f14afdf9947b0b9fee4a521fd9416bd608f7b89
SHA512

78cc06d8d2165693070b5df1b91fec8556aeb1af23f17c687d3f20a0efaae7634aab8e82dffa78c85045c4d824c8b3e13bf7e24315d02a9dd280016cc31dc5a8
SSDEEP

3072:/1DJxvK/ruKjczmH30M9aNHC6i/LKVM5V3y8xF3L6YFWVaWTxhD:lwuKIKX1EViT4Mi8HdFWVTD

Score

10^/10

revengerat persistence spyware stealer trojan

Static task

static1

stealer revengerat

3 signatures

Behavioral task

behavioral1

Sample

0be9d9ecce9c762cf980963d33d1fa8d_JaffaCakes118.exe

Resource

win7-20240611-en

revengerat persistence spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

0be9d9ecce9c762cf980963d33d1fa8d_JaffaCakes118.exe

Resource

win10v2004-20240508-en

revengerat persistence spyware stealer trojan

windows10-2004-x64

14 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
thersddoser

Targets

- Target
  
  0be9d9ecce9c762cf980963d33d1fa8d_JaffaCakes118
- Size
  
  141KB
- MD5
  
  0be9d9ecce9c762cf980963d33d1fa8d
- SHA1
  
  a102c25f6bb4d4d50bb05dc93afa4c388f81c339
- SHA256
  
  b46cfe9a77b661bd8a3202261f14afdf9947b0b9fee4a521fd9416bd608f7b89
- SHA512
  
  78cc06d8d2165693070b5df1b91fec8556aeb1af23f17c687d3f20a0efaae7634aab8e82dffa78c85045c4d824c8b3e13bf7e24315d02a9dd280016cc31dc5a8
- SSDEEP
  
  3072:/1DJxvK/ruKjczmH30M9aNHC6i/LKVM5V3y8xF3L6YFWVaWTxhD:lwuKIKX1EViT4Mi8HdFWVTD
Score

10^/10

revengerat persistence spyware stealer trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- RevengeRat Executable
  stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Active Setup

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

stealerrevengerat

behavioral1

revengeratpersistencespywarestealertrojan

behavioral2

revengeratpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy