| Malware Name | File Type | SHA256 |
|---|---|---|
| Revenge RAT | vbs | 35513e333c1138e4e1199640d44ea9eca3c91deb6c485f828c898a4e76ab5af5 |
This infection started from a suspicious email with a link to a file hosted on Onedrive. the downloaded file is a VBS file. The content is highly obfuscated:
Here i used CMDWatcher in interactive mode in order to catch suspicious process spawns:
We see that the malware dropped a Powershell script to AppData\local\temp. opening it in Powershell_ise:
The one main thing that caught my eyes immediately was 2 long byte arrays: "RunPE" and "Bytes". of course there are a bunch of other interesting stuff but we'll be back to that little later.
I dropped the two files to disk using Powershell:
Observing the "Bytes" file reveals that it is a PE File:
Checking the signature:
So, Dropping it to ILSpy:
And here is the malware config :)
We see that this is the "Revenge RAT".
C2: h0pe1759.ddns.net
Qhick googling takes us to the exact repo that this code is taken from:
The code contains a lot of capabilities like taking screenshots, retrieve information, get installed AV and more (thanks to the malware author for the detailed documentation 😘)
The other file that dropped to disk is a compressed Csharp code that gets compiled at runtime, and his purpose is to RunPE (AKA process hollowing) the RAT inside the legit InstallUtil.exe Binary (in this case):
While writing these letters i found out a detailed Blogpost on that exact infection by Morphysec.