RevengeRAT

Forum for analysis and discussion about malware.
Post Reply
markusg
Posts: 735
Joined: Mon Mar 15, 2010 2:53 pm

RevengeRAT

Post by markusg » Sat Jul 22, 2017 3:00 am

from this pastebin account

Code: Select all

https://pastebin.com/u/MIcrosofts
the R2 paste
SHA256:
d0c88e5d26f2f126013491a6b22667eb4abe1b3f23e5d649f39ba7706ffbd327
Dateiname:
d0c88e5d26f2f126013491a6b22667eb4abe1b3f23e5d649f39ba7706ffbd327....
Erkennungsrate:
11 / 56
https://www.virustotal.com/de/file/d0c8 ... 500688070/

load this exe

Code: Select all

http://store4.up-00.com/2017-07/150054074583631.png
https://www.virustotal.com/en/file/c460 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Malware collection

Post by Cody Johnston » Sat Jul 22, 2017 7:46 am

That is called 'RevengeRAT'

Code: Select all

this.ID = "SGFja2VkIEJ5IEhhbGxhag==";
ID string says 'Hacked By Hallaj'

It gets the payload from pastebin: hxxps://pastebin.com/raw/UCXsTaZ8 then loads it using csc

contacts: hxxp://89.148.30.116 on port 948 for C2

2nd stage 'unpacked' here: https://www.virustotal.com/en/file/2bf7 ... 500708743/

markusg
Posts: 735
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Thu Aug 03, 2017 11:14 pm

backdoor
SHA256:
46917915419ce17cbde789b5b73a3b5af518b370ec37f575906a2e93e4fc5a1d
Dateiname:
REV.exe
https://virustotal.com/de/file/46917915 ... /analysis/
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 735
Joined: Mon Mar 15, 2010 2:53 pm

Re: Malware collection

Post by markusg » Fri Aug 04, 2017 2:24 am

is this something malicious?
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 264
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Malware collection

Post by Antelox » Fri Aug 04, 2017 7:58 am

markusg wrote:is this something malicious?
It's a docx which doesn't look malicious to me.
markusg wrote:backdoor
SHA256:
46917915419ce17cbde789b5b73a3b5af518b370ec37f575906a2e93e4fc5a1d
Dateiname:
REV.exe
https://virustotal.com/de/file/46917915 ... /analysis/
It's Revenge RAT with C2:

Code: Select all

haija.ddns.net:3333
markusg wrote:SHA256:
a70b7ed2aceac7b591bd64950fda5d358bc6d64d175fff61156a3eedc3a3f629
Dateiname:
disableTrial.exe
https://virustotal.com/de/file/a70b7ed2 ... /analysis/
It's BetaBot.

BR,

Antelox

User avatar
EP_X0FF
Global Moderator
Posts: 4884
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Malware collection

Post by EP_X0FF » Mon Jan 07, 2019 5:33 am

markusg wrote:
Thu Aug 03, 2017 11:14 pm
backdoor
SHA256:
46917915419ce17cbde789b5b73a3b5af518b370ec37f575906a2e93e4fc5a1d
Dateiname:
REV.exe
https://virustotal.com/de/file/46917915 ... /analysis/
Revenge RAT.

After decrypting payload dropper inject it to the the %WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe to continue execution.

In attach extracted actual payload written on C#. Posts moved.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

Post Reply