A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30624  by markusg
 Sat Jul 22, 2017 3:00 am
from this pastebin account
Code: Select all
https://pastebin.com/u/MIcrosofts
the R2 paste
SHA256:
d0c88e5d26f2f126013491a6b22667eb4abe1b3f23e5d649f39ba7706ffbd327
Dateiname:
d0c88e5d26f2f126013491a6b22667eb4abe1b3f23e5d649f39ba7706ffbd327....
Erkennungsrate:
11 / 56
https://www.virustotal.com/de/file/d0c8 ... 500688070/

load this exe
Code: Select all
http://store4.up-00.com/2017-07/150054074583631.png
https://www.virustotal.com/en/file/c460 ... /analysis/
Attachments
 #30625  by Cody Johnston
 Sat Jul 22, 2017 7:46 am
markusg wrote: https://www.virustotal.com/en/file/c460 ... /analysis/
That is called 'RevengeRAT'
Code: Select all
this.ID = "SGFja2VkIEJ5IEhhbGxhag==";
ID string says 'Hacked By Hallaj'

It gets the payload from pastebin: hxxps://pastebin.com/raw/UCXsTaZ8 then loads it using csc

contacts: hxxp://89.148.30.116 on port 948 for C2

2nd stage 'unpacked' here: https://www.virustotal.com/en/file/2bf7 ... 500708743/
 #30676  by Antelox
 Fri Aug 04, 2017 7:58 am
markusg wrote:is this something malicious?
It's a docx which doesn't look malicious to me.
markusg wrote:backdoor
SHA256:
46917915419ce17cbde789b5b73a3b5af518b370ec37f575906a2e93e4fc5a1d
Dateiname:
REV.exe
https://virustotal.com/de/file/46917915 ... /analysis/
It's Revenge RAT with C2:
Code: Select all
haija.ddns.net:3333
markusg wrote:SHA256:
a70b7ed2aceac7b591bd64950fda5d358bc6d64d175fff61156a3eedc3a3f629
Dateiname:
disableTrial.exe
https://virustotal.com/de/file/a70b7ed2 ... /analysis/
It's BetaBot.

BR,

Antelox
 #32381  by EP_X0FF
 Mon Jan 07, 2019 5:33 am
markusg wrote: Thu Aug 03, 2017 11:14 pm backdoor
SHA256:
46917915419ce17cbde789b5b73a3b5af518b370ec37f575906a2e93e4fc5a1d
Dateiname:
REV.exe
https://virustotal.com/de/file/46917915 ... /analysis/
Revenge RAT.

After decrypting payload dropper inject it to the the %WINDIR%\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe to continue execution.

In attach extracted actual payload written on C#. Posts moved.
Attachments
pass infected
(8.06 KiB) Downloaded 18 times