revengerat | 0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe
Size

903KB
MD5

ee4abda808caacb606887c5f157c1850
SHA1

bfbf78f14654e6305e9ffa74c3e4edb72b75f52d
SHA256

0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180
SHA512

3b7dff3adc474d707fbb88dcdef501f30cc844f7930d31f06f7bbea49f5a313044a96e1dfad0a94bb2e8f0ff523f184da2486c24c0bfb0f0ae3ccf5524cbb20f
SSDEEP

24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHaKZa5i:gh+ZkldoPK8YaKGi

Score

10^/10

revengerat marzo26 trojan

Malware Config

Extracted

Family

revengerat

Botnet

Marzo26

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Drops startup file 1 IoCs

Processes:

0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe

description pid process target process

PID 2264 set thread context of 2732 2264 0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2732 RegAsm.exe

description	pid	process	target process
PID 2264 set thread context of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2732	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe

pid	process
2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe
2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe
2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe

pid	process
2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe
2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe
2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe

description	pid	process	target process
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe
PID 2264 wrote to memory of 2732	2264	0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0db0a1c875867d0a136bda1dfdb18b3365bc7a9b97c9aa9bc24675607e568180_NeikiAnalytics.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2264-0-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/2732-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2732-3-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/2732-8-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/2732-9-0x00000000000A0000-0x00000000000A8000-memory.dmp

Filesize
32KB

Download
memory/2732-10-0x0000000074952000-0x0000000074954000-memory.dmp

Filesize
8KB

Download
memory/2732-14-0x0000000074952000-0x0000000074954000-memory.dmp

Filesize
8KB

Download