Malware analysis Revenge-RAT v0.3x.exe Malicious activity

Add for printing

File name:	Revenge-RAT v0.3x.exe
Full analysis:	https://app.any.run/tasks/3d3693c6-1a4a-46de-8529-a805928dbd3a
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	August 05, 2024, 19:04:10
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	miner antivm
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	D1E07BB41FF7DE2C390DA54E77E7B12F
SHA1:	086BE6814F70E8EC023F9C9572FEF6B46FDAF838
SHA256:	B265AE51D014E34EF1DB74DC62530E5D146114A3DD3F8EEFD80A7B66794CFD17
SSDEEP:	98304:AYLV5/bErQPcPZWFJTc+FxXNRm01INV6nOG15cH/UmxzDPOZz3kC11JyO7eYscNi:AU/Fbm0qgRjf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Revenge-RAT v0.3x.exe (PID: 6316)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 6812)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - Revenge-RAT v0.3x.exe (PID: 6316)
- Deletes scheduled task without confirmation
  - schtasks.exe (PID: 6500)
- Executable content was dropped or overwritten
  - Revenge-RAT v0.3x.exe (PID: 6316)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - cmd.exe (PID: 6536)
  - cmd.exe (PID: 6632)
- Process drops legitimate windows executable
  - Revenge-RAT v0.3x.exe (PID: 6316)
- Dropped object may contain URLs of mainers pools
  - Revenge-RAT v0.3x.exe (PID: 6316)
- The process executes via Task Scheduler
  - TiWorker.exe (PID: 6992)
- Adds/modifies Windows certificates
  - certutil.exe (PID: 7164)
- Add new program in existing scheduled task
  - schtasks.exe (PID: 6952)
- Executes application which crashes
  - Revenge-RAT v0.3.exe (PID: 6196)
- There is functionality for VM detection (VirtualBox)
  - TiWorker.exe (PID: 6992)
- Crypto Currency Mining Activity Detected
  - svchost.exe (PID: 2256)
INFO
- Reads mouse settings
  - Revenge-RAT v0.3x.exe (PID: 6316)
- Checks supported languages
  - Revenge-RAT v0.3x.exe (PID: 6316)
  - Revenge-RAT v0.3.exe (PID: 6196)
  - TextInputHost.exe (PID: 6180)
- Create files in a temporary directory
  - Revenge-RAT v0.3x.exe (PID: 6316)
- Process checks computer location settings
  - Revenge-RAT v0.3x.exe (PID: 6316)
- Reads the machine GUID from the registry
  - Revenge-RAT v0.3.exe (PID: 6196)
- Reads the computer name
  - Revenge-RAT v0.3.exe (PID: 6196)
  - TextInputHost.exe (PID: 6180)
- Checks proxy server information
  - WerFault.exe (PID: 5796)
- Reads the software policy settings
  - WerFault.exe (PID: 5796)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 5796)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2018:12:27 13:26:42+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	12
CodeSize:	688640
InitializedDataSize:	8333312
UninitializedDataSize:	-
EntryPoint:	0x2fa1c
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

166

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

5796

C:\WINDOWS\system32\WerFault.exe -u -p 6196 -s 964

C:\Windows\System32\WerFault.exe

Revenge-RAT v0.3.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

6180

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

6196

"C:\Users\admin\AppData\Local\Temp\Revenge-RAT v0.3.exe"

C:\Users\admin\AppData\Local\Temp\Revenge-RAT v0.3.exe

Revenge-RAT v0.3x.exe

User:

admin

Company:

Revenge-RAT v0.3

Integrity Level:

HIGH

Description:

Revenge-RAT v0.3

Exit code:

3762504530

Version:

0.0.0.3

Modules

Images
c:\users\admin\appdata\local\temp\revenge-rat v0.3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6268

"C:\Users\admin\AppData\Local\Temp\Revenge-RAT v0.3x.exe"

C:\Users\admin\AppData\Local\Temp\Revenge-RAT v0.3x.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\appdata\local\temp\revenge-rat v0.3x.exe
c:\windows\system32\ntdll.dll

6316

"C:\Users\admin\AppData\Local\Temp\Revenge-RAT v0.3x.exe"

C:\Users\admin\AppData\Local\Temp\Revenge-RAT v0.3x.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\revenge-rat v0.3x.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

6340

C:\WINDOWS\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit

C:\Windows\System32\cmd.exe

—

Revenge-RAT v0.3x.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

6348

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6396

schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

6416

schtasks /End /TN "WindowsUpdate"

C:\Windows\System32\schtasks.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll

Add for printing

Total events

8 723

Read events

8 685

Write events

Delete events

Modification events


(PID) Process:	(7164) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION
(PID) Process:	(7164) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION
(PID) Process:	(7164) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
Operation:	write	Name:	Name
Value: szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL
(PID) Process:	(7164) certutil.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@%systemroot%\system32\wsdapi.dll,-200
Value: Trusted Devices
(PID) Process:	(7164) certutil.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\Windows\System32\AppxPackaging.dll,-1001
Value: Trusted Packaged App Installation Authorities
(PID) Process:	(7164) certutil.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\SessEnv.dll,-101
Value: Remote Desktop
(PID) Process:	(7164) certutil.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\CertCA.dll,-304
Value: Endorsement Key Trusted Root Certification Authorities
(PID) Process:	(7164) certutil.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\CertCA.dll,-305
Value: Endorsement Key Intermediate Certification Authorities
(PID) Process:	(7164) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:	delete value	Name:	1A5D6032D6D9ED6DDC1EF263822F5B22C340F22C
Value:
(PID) Process:	(7164) certutil.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1A5D6032D6D9ED6DDC1EF263822F5B22C340F22C
Operation:	write	Name:	Blob
Value: 0300000001000000140000001A5D6032D6D9ED6DDC1EF263822F5B22C340F22C200000000100000002050000308204FE308202E6020101300D06092A864886F70D01010B05003045310B3009060355040613025553311A3018060355040A0C114D6963726F736F66742057696E646F7773311A301806035504030C114D6963726F736F66742057696E646F7773301E170D3138303731323131303035365A170D3231303731313131303035365A3045310B3009060355040613025553311A3018060355040A0C114D6963726F736F66742057696E646F7773311A301806035504030C114D6963726F736F66742057696E646F777330820222300D06092A864886F70D01010105000382020F003082020A0282020100C15F2A2CDFBBF8865049E184AB3F4B74828B480008B366559D928071FDFBFC6608966E57EBA07AD4D107A16689D5D88E14C4A66D17ECC7B2A57FC963FF5BFF93BBA83F7A8223E929670A815D976E39E998CFDC738F60E0E88D9A1D0AA542068DE2C839A27EFF9AB1ADE2644D15EB097F51DCF14CAF0B3E4767FAC3542D948CA02E9798A3159F926608484CB1A0C9413B86DE62015CF0B2FD3C85CCD10A23E4F6784B8A943CEB61EA94B0D8EEF7B033FA7EC7040C18F5408A96931D47A0339EA3265C16CF945E057CB209D6005D0B37855E518DB93B2089DEC7F9A9E34CDDA865AD22510EE4999CE042BF81EAF96E581658CF2364A550DC0E74BD7300A64B68020821C1C98EAF2565203810439E5A4261DD26249C869E502B6D0754126CA6BB1F4E7DA0A3187556375EC24993B54036BC3CE80DAECAB76C77CD98311C64BE0DF1B2CEFA2FE5BA600CF3E285CEE17271494168541E4BEE04B4CB03735BAC76FDC1BD959B032CA1C23554189D903B9A352E2E494824DF6BC38601087A3E8ADA6CCF99FDEACA2F8EA8C4EE850260BE6DA2D36091461D9F8FFC117890BF4026EA8976F733C86AF3A0EC8490A764434C4C26F862CDC7032AEAE831C52B7C2B3A3084A4BC44B9ECCFDDD1E5AF2CF0208685FE41520DE2A2135B95C35C8DC5BD96E8F41B198CC0F0CB2BB48DA29D9AA89C8FD85B846E2E7304F60E3E7D23256F2E0962A10203010001300D06092A864886F70D01010B05000382020100A97C5234A2F72FB0446B99E6E366841F293EC9EA32AE06B6189BE69622C8B3C768C5811C4ADAE7953774F6CF44A5263E5CBDA9C5274026F8E17729126C4D428091A9C61A8B41309C14ED9A068A7F2B3A1725407DA7E57326A1A6BAA6D8FA66837EC3963E2199466F79E3427867F5B1891F7C0EC5BE577C64E6C685508EC97FB8D1F0357F4742ACBA57609B9A585C2CF94817D1D40859648C921A2DACC520EE466A328855297F65A3CB2BC6C79265D94EDDD03425CDCC4C800EA6B8ADADED1B1F0F4E244BF7EB9E1D3BE0E15FD76327D2661E4A0AF376DF3C5F8396649519DC5D7574A4B3A10CC43903BC290F8DEC92E63A1D5B71A4980EFCB8DCE7CDA8F04AF9528F74F4235ABF19DFCED939E5086D8500F1B5C450B14C9B16E06D8EC8D51C175D3E686BF3626265E977E34E3ABBCC764AD8D5B2C8B692A3D4B69974C4D9992BB77ED792A4EDA536A6CB7283F76ABE282D58263F6B493122C6EDFA76FFF0C5220F7BA651DFDCA5C628A9DBDDAEE5A5F02C77CD984E3B27F30B3919B5972C3B7FD4707B78F9F093DC9B6BD580198E88F926604142C032A3C429E304B09A6D6648A7390B09D256B98A18F3ADF2EE651713942AE2B0716341B7443718C92A93E84514D398202832610D510394D8651AAF72426B44D80246C0852C16793897C3B58D0E85C02F5F07BE96EB4B9808C8E8DA7EC12F96560B9513D86C1E6610B99FE272

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6316	Revenge-RAT v0.3x.exe	C:\Users\admin\AppData\Local\Temp\aut6C94.tmp		—
		MD5:—	SHA256:—
5796	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Revenge-RAT v0.3_716d2474a3ba4d7acb2134d0a828ae5f2ba47d16_1ff8b551_a2b074e9-cdea-48d7-bd60-382b5daeb1f4\Report.wer		—
		MD5:—	SHA256:—
5796	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\Revenge-RAT v0.3.exe.6196.dmp		—
		MD5:—	SHA256:—
6316	Revenge-RAT v0.3x.exe	C:\Users\admin\AppData\Local\Temp\Revenge-RAT v0.3.exe		executable
		MD5:531D8B4AC8F7EB827D62424169321B2B	SHA256:6B2324BB337F722067E6C1B5CEF5F64E89338E2BECCF95289AAAA2AF8A0556B9
6316	Revenge-RAT v0.3x.exe	C:\Users\admin\AppData\Local\Temp\MicrosoftWindows.crt		text
		MD5:1BB617D3AAB1DBE2EC2E4A90BF824846	SHA256:1BF4CE2AEDC0CFB1365AB15C7E0C8C26B87890AD4008D56317B756B8745FF580
6316	Revenge-RAT v0.3x.exe	C:\Users\admin\AppData\Local\Temp\aut60B9.tmp		executable
		MD5:ECEDE3C32CE83FF76AE584C938512C5A	SHA256:366F1E9F9C99AA81034BADA3CC344F2FB5A74246E1D5851441244DF1ECC9AE6D
6316	Revenge-RAT v0.3x.exe	C:\Windows\SysWOW64\TiWorker.exe		executable
		MD5:ECEDE3C32CE83FF76AE584C938512C5A	SHA256:366F1E9F9C99AA81034BADA3CC344F2FB5A74246E1D5851441244DF1ECC9AE6D
6316	Revenge-RAT v0.3x.exe	C:\Windows\SysWOW64\config.json		binary
		MD5:3DA156F2D3307118A8E2C569BE30BC87	SHA256:F86AB68EADDD22FBE679EA5AB9CC54775E74081BEFFD758B30776BA103F396EB
6316	Revenge-RAT v0.3x.exe	C:\Users\admin\AppData\Local\Temp\aut6195.tmp		binary
		MD5:A80F4AB62222FB66237898E1C3F87DFE	SHA256:44375713CBB72C39908F79BAD79563852863D90C8CFE40038E9B248E7C1E82BE
6316	Revenge-RAT v0.3x.exe	C:\Windows\SysWOW64\MicrosoftWindows.xml		xml
		MD5:B1CBFCC7B7A5716A30B77F5DC5BB6135	SHA256:96F2FF4DDCADF6421071DAA6CDDA2CE866FB7B10D12CC1B20BD07CB131210430

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4544	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4544	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2584	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6300	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5240	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1164	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5240	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5796	WerFault.exe	52.168.117.173:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5336	SearchApp.exe	92.123.104.38:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.186.78	whitelisted
pool.minexmr.com	—	whitelisted
watson.events.data.microsoft.com	52.168.117.173	whitelisted
www.bing.com	92.123.104.38 92.123.104.41 92.123.104.49 92.123.104.21 92.123.104.33 92.123.104.30 92.123.104.26 92.123.104.19 92.123.104.28 92.123.104.65 92.123.104.7 92.123.104.54 92.123.104.63 92.123.104.60 92.123.104.66 92.123.104.53 92.123.104.67 92.123.104.61	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.67 20.190.159.68 40.126.31.69 40.126.31.73 20.190.159.23 20.190.159.75 40.126.31.71 20.190.159.2 20.190.159.73 20.190.159.4 20.190.159.0	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
th.bing.com	92.123.104.28 92.123.104.38 92.123.104.41 92.123.104.49 92.123.104.21 92.123.104.33 92.123.104.30 92.123.104.26 92.123.104.19 92.123.104.47 92.123.104.44 92.123.104.31 92.123.104.43 92.123.104.50 92.123.104.34 92.123.104.40	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool
2256	svchost.exe	Crypto Currency Mining Activity Detected	ET INFO DNS request for Monero mining pool

Add for printing

No debug info

General Info

Revenge-RAT v0.3x.exe

D1E07BB41FF7DE2C390DA54E77E7B12F

086BE6814F70E8EC023F9C9572FEF6B46FDAF838

B265AE51D014E34EF1DB74DC62530E5D146114A3DD3F8EEFD80A7B66794CFD17

98304:AYLV5/bErQPcPZWFJTc+FxXNRm01INV6nOG15cH/UmxzDPOZz3kC11JyO7eYscNi:AU/Fbm0qgRjf

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses Task Scheduler to run other applications

SUSPICIOUS

Starts CMD.EXE for commands execution

Deletes scheduled task without confirmation

Executable content was dropped or overwritten

Uses NETSH.EXE to add a firewall rule or allowed programs

Process drops legitimate windows executable

Dropped object may contain URLs of mainers pools

The process executes via Task Scheduler

Adds/modifies Windows certificates

Add new program in existing scheduled task

Executes application which crashes

There is functionality for VM detection (VirtualBox)

Crypto Currency Mining Activity Detected

INFO

Reads mouse settings

Checks supported languages

Create files in a temporary directory

Process checks computer location settings

Reads the machine GUID from the registry

Reads the computer name

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings