Edit tour

Windows Analysis Report
Revolt.bat

Overview

General Information

Sample name:	Revolt.bat
Analysis ID:	1654530
MD5:	085457da30fec8ea0f16f7790bde35c5
SHA1:	6a5fb36d0e605143c82a6caa42a408fc5ca8f45e
SHA256:	fc5ff6569ef980d7448d2e948dc4f8b3ea8385be2991357648877f0676f10928
Tags:	batWsgiDAVuser-JAMESWT_MHT
Infos:

Detection

HTMLPhisher

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Yara detected BlockedWebSite

Creates files inside the system directory

Deletes files inside the Windows folder

JA3 SSL client fingerprint seen in connection with other malware

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5872 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 5668 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2496,i,9687974529374164150,7302012809696030839,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2524 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6844 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Revolt.bat" MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Revolt.bat	JoeSecurity_BlockedWebSite	Yara detected BlockedWebSite	Joe Security

HTML

Source	Rule	Description	Author	Strings
0.0.pages.csv	JoeSecurity_BlockedWebSite	Yara detected BlockedWebSite	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Phishing
• Compliance
• Networking
• System Summary

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected BlockedWebSite

Source: Yara match	File source: Revolt.bat, type: SAMPLE
Source: Yara match	File source: 0.0.pages.csv, type: HTML

Source: file:///C:/Users/user/Desktop/Revolt.bat

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 142.251.40.100:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 23.203.176.221
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: Revolt.bat	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: Revolt.bat	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 142.251.40.100:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir5872_1059601971

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir5872_1059601971

Jump to behavior

Source: classification engine

Classification label: mal48.phis.winBAT@22/0@2/4

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2496,i,9687974529374164150,7302012809696030839,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2524 /prefetch:3
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Revolt.bat"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2496,i,9687974529374164150,7302012809696030839,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2524 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Revolt.bat	0%	Virustotal		Browse
Revolt.bat	0%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
file:///C:/Users/user/Desktop/Revolt.bat	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
www.google.com	142.251.40.100	true	false	high
pki-goog.l.google.com	142.250.65.195	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/Revolt.bat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.cloudflare.com/learning/access-management/phishing-attack/	Revolt.bat	false		high
https://www.cloudflare.com/5xx-error-landing	Revolt.bat	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.251.40.100	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.23
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1654530
Start date and time:	2025-04-02 12:11:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowshtmlcookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Revolt.bat
Detection:	MAL
Classification:	mal48.phis.winBAT@22/0@2/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .bat

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 199.232.210.172, 142.250.64.78, 142.251.163.84, 172.217.165.142, 142.251.35.174, 142.250.65.206, 142.251.32.110, 142.250.65.174, 142.250.64.110, 142.251.41.3, 142.251.40.142, 142.251.40.110, 142.251.41.14, 142.250.65.195, 184.31.69.3, 20.12.23.50
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pki-goog.l.google.com	invoice.exe	Get hash	malicious	LummaC Stealer	Browse	172.217.165.131
	random.exe	Get hash	malicious	LummaC Stealer	Browse	142.250.80.35
	NVIDIA.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	142.251.35.163
	a.ps1	Get hash	malicious	PureCrypter, AsyncRAT	Browse	142.250.81.227
	PO-GST-20250401.vbs	Get hash	malicious	Remcos	Browse	142.251.32.99
	REQUEST FOR PRICE QUOTATION FOR THE REVISED ITEMS.exe	Get hash	malicious	Unknown	Browse	142.250.65.227
	cz4ZwB7N4G.exe	Get hash	malicious	Unknown	Browse	142.250.80.99
	https://maltese.com.br/share-sensitive-files-securely/	Get hash	malicious	HTMLPhisher	Browse	142.250.80.35
	uninstall.exe	Get hash	malicious	Unknown	Browse	142.250.65.227
	VUE-KMH-462E Missed Amex Entry-Mar-25 1.xlsm	Get hash	malicious	Unknown	Browse	142.250.65.163
bg.microsoft.map.fastly.net	OneD.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	Draft Copy.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	199.232.210.172
	invoice.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.210.172
	random.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.214.172
	NVIDIA.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	199.232.214.172
	3UQbvgGmir.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	qWR3lUj.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.210.172
	index.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	199.232.214.172
	a.ps1	Get hash	malicious	PureCrypter, AsyncRAT	Browse	199.232.210.172
	NVIDIA.exe	Get hash	malicious	PureCrypter, AsyncRAT	Browse	199.232.210.172

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	cfr4.txt.ps1	Get hash	malicious	Unknown	Browse	131.253.33.254
	a.ps1	Get hash	malicious	PureCrypter, AsyncRAT	Browse	131.253.33.254
	https://rebrand.ly/ittechsupportonline	Get hash	malicious	HTMLPhisher	Browse	131.253.33.254
	https://www.terrabellaseniorliving.com/terrabella-little-avenue/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	131.253.33.254
	https://buildin.ai/share/5a345237-8f26-47b9-9ffb-209d1d646648?code=0GHW42&embed=true	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	131.253.33.254
	PO-Payment-Slip.vbs	Get hash	malicious	XWorm	Browse	131.253.33.254
	F Notice Docx 433 (1).html	Get hash	malicious	HTMLPhisher	Browse	131.253.33.254
	http://ok.fish-cloud-jar.us	Get hash	malicious	Unknown	Browse	131.253.33.254
	http://wovenfacade.com/	Get hash	malicious	Unknown	Browse	131.253.33.254
	http://convertix-api.xyz	Get hash	malicious	Unknown	Browse	131.253.33.254

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (394)
Entropy (8bit):	5.0502704465531485
TrID:	HyperText Markup Language (15015/1) 20.56% HyperText Markup Language (12001/1) 16.44% HyperText Markup Language (12001/1) 16.44% HyperText Markup Language (11501/1) 15.75% HyperText Markup Language (11501/1) 15.75%
File name:	Revolt.bat
File size:	4'560 bytes
MD5:	085457da30fec8ea0f16f7790bde35c5
SHA1:	6a5fb36d0e605143c82a6caa42a408fc5ca8f45e
SHA256:	fc5ff6569ef980d7448d2e948dc4f8b3ea8385be2991357648877f0676f10928
SHA512:	07568b52bdfcf390942b0f32f81fb8eaab892cbde7aaae84027623ff4cd8cca8dbb15e28e3014461c2f7d98ec6bdadddb0b8db7224fd7f6ca3b1dfd7266ca14c
SSDEEP:	96:1j9jwIjYjUDK/D5DMF+BOiUAt3ZLmmtlrR19PaQxJbGD:1j9jhjYjIK/Vo+tr3Z6mtlr39ieJGD
TLSH:	32918332F9BD153F10D3916265BDA7097AA4C053DB9B099036BCC1761F8EF45AE232C2
File Content Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 48
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 12:12:07.115518093 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 2, 2025 12:12:13.449750900 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 2, 2025 12:12:13.787367105 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 2, 2025 12:12:14.390733004 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 2, 2025 12:12:15.594454050 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 2, 2025 12:12:16.849433899 CEST	49681	80	192.168.2.4	2.17.190.73
Apr 2, 2025 12:12:17.996145964 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 2, 2025 12:12:19.232585907 CEST	49726	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:12:19.232630968 CEST	443	49726	142.251.40.100	192.168.2.4
Apr 2, 2025 12:12:19.232691050 CEST	49726	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:12:19.232912064 CEST	49726	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:12:19.232920885 CEST	443	49726	142.251.40.100	192.168.2.4
Apr 2, 2025 12:12:19.497067928 CEST	443	49726	142.251.40.100	192.168.2.4
Apr 2, 2025 12:12:19.497129917 CEST	49726	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:12:19.498652935 CEST	49726	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:12:19.498662949 CEST	443	49726	142.251.40.100	192.168.2.4
Apr 2, 2025 12:12:19.498912096 CEST	443	49726	142.251.40.100	192.168.2.4
Apr 2, 2025 12:12:19.539371014 CEST	49726	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:12:21.775542974 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 2, 2025 12:12:22.084172010 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 2, 2025 12:12:22.694138050 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 2, 2025 12:12:22.896709919 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 2, 2025 12:12:23.912312984 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 2, 2025 12:12:25.158191919 CEST	49708	443	192.168.2.4	52.113.196.254
Apr 2, 2025 12:12:25.165101051 CEST	49708	443	192.168.2.4	52.113.196.254
Apr 2, 2025 12:12:25.291393995 CEST	443	49708	52.113.196.254	192.168.2.4
Apr 2, 2025 12:12:25.298810959 CEST	443	49708	52.113.196.254	192.168.2.4
Apr 2, 2025 12:12:25.301567078 CEST	443	49708	52.113.196.254	192.168.2.4
Apr 2, 2025 12:12:25.301587105 CEST	443	49708	52.113.196.254	192.168.2.4
Apr 2, 2025 12:12:25.301662922 CEST	49708	443	192.168.2.4	52.113.196.254
Apr 2, 2025 12:12:25.301712990 CEST	49708	443	192.168.2.4	52.113.196.254
Apr 2, 2025 12:12:25.437455893 CEST	49730	443	192.168.2.4	131.253.33.254
Apr 2, 2025 12:12:25.437499046 CEST	443	49730	131.253.33.254	192.168.2.4
Apr 2, 2025 12:12:25.437608004 CEST	49730	443	192.168.2.4	131.253.33.254
Apr 2, 2025 12:12:25.438013077 CEST	49730	443	192.168.2.4	131.253.33.254
Apr 2, 2025 12:12:25.438028097 CEST	443	49730	131.253.33.254	192.168.2.4
Apr 2, 2025 12:12:26.318605900 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 2, 2025 12:12:29.273936033 CEST	443	49730	131.253.33.254	192.168.2.4
Apr 2, 2025 12:12:29.274004936 CEST	49730	443	192.168.2.4	131.253.33.254
Apr 2, 2025 12:12:29.887068033 CEST	443	49726	142.251.40.100	192.168.2.4
Apr 2, 2025 12:12:29.887204885 CEST	443	49726	142.251.40.100	192.168.2.4
Apr 2, 2025 12:12:29.887397051 CEST	49726	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:12:31.130660057 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 2, 2025 12:12:31.132534981 CEST	49726	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:12:31.132569075 CEST	443	49726	142.251.40.100	192.168.2.4
Apr 2, 2025 12:12:32.506083012 CEST	49671	443	192.168.2.4	204.79.197.203
Apr 2, 2025 12:12:40.740592003 CEST	49678	443	192.168.2.4	20.189.173.27
Apr 2, 2025 12:13:14.805712938 CEST	80	49710	23.203.176.221	192.168.2.4
Apr 2, 2025 12:13:14.805811882 CEST	49710	80	192.168.2.4	23.203.176.221
Apr 2, 2025 12:13:19.146476030 CEST	49735	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:13:19.146528959 CEST	443	49735	142.251.40.100	192.168.2.4
Apr 2, 2025 12:13:19.146634102 CEST	49735	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:13:19.146785021 CEST	49735	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:13:19.146804094 CEST	443	49735	142.251.40.100	192.168.2.4
Apr 2, 2025 12:13:19.412821054 CEST	443	49735	142.251.40.100	192.168.2.4
Apr 2, 2025 12:13:19.416347027 CEST	49735	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:13:19.416390896 CEST	443	49735	142.251.40.100	192.168.2.4
Apr 2, 2025 12:13:30.226166010 CEST	443	49735	142.251.40.100	192.168.2.4
Apr 2, 2025 12:13:30.226241112 CEST	443	49735	142.251.40.100	192.168.2.4
Apr 2, 2025 12:13:30.226305008 CEST	49735	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:13:30.444714069 CEST	49735	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:13:30.444747925 CEST	443	49735	142.251.40.100	192.168.2.4
Apr 2, 2025 12:14:19.210011959 CEST	49750	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:14:19.210051060 CEST	443	49750	142.251.40.100	192.168.2.4
Apr 2, 2025 12:14:19.210119963 CEST	49750	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:14:19.210300922 CEST	49750	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:14:19.210314989 CEST	443	49750	142.251.40.100	192.168.2.4
Apr 2, 2025 12:14:19.452497005 CEST	443	49750	142.251.40.100	192.168.2.4
Apr 2, 2025 12:14:19.452788115 CEST	49750	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:14:19.452831984 CEST	443	49750	142.251.40.100	192.168.2.4
Apr 2, 2025 12:14:29.490808010 CEST	443	49750	142.251.40.100	192.168.2.4
Apr 2, 2025 12:14:29.490943909 CEST	443	49750	142.251.40.100	192.168.2.4
Apr 2, 2025 12:14:29.492858887 CEST	49750	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:14:30.163943052 CEST	49750	443	192.168.2.4	142.251.40.100
Apr 2, 2025 12:14:30.163968086 CEST	443	49750	142.251.40.100	192.168.2.4
Apr 2, 2025 12:14:30.941683054 CEST	443	49708	52.113.196.254	192.168.2.4
Apr 2, 2025 12:14:33.058991909 CEST	443	49730	131.253.33.254	192.168.2.4
Apr 2, 2025 12:14:33.059175014 CEST	49730	443	192.168.2.4	131.253.33.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 2, 2025 12:12:05.611018896 CEST	53	51785	1.1.1.1	192.168.2.4
Apr 2, 2025 12:12:14.919462919 CEST	53	52921	1.1.1.1	192.168.2.4
Apr 2, 2025 12:12:15.073945045 CEST	53	58239	1.1.1.1	192.168.2.4
Apr 2, 2025 12:12:16.702697992 CEST	53	56710	1.1.1.1	192.168.2.4
Apr 2, 2025 12:12:19.087486982 CEST	52117	53	192.168.2.4	1.1.1.1
Apr 2, 2025 12:12:19.087707043 CEST	56575	53	192.168.2.4	1.1.1.1
Apr 2, 2025 12:12:19.221096992 CEST	53	56575	1.1.1.1	192.168.2.4
Apr 2, 2025 12:12:19.231348991 CEST	53	52117	1.1.1.1	192.168.2.4
Apr 2, 2025 12:12:33.739598989 CEST	53	49354	1.1.1.1	192.168.2.4
Apr 2, 2025 12:12:52.494894981 CEST	53	64793	1.1.1.1	192.168.2.4
Apr 2, 2025 12:13:14.520837069 CEST	53	56712	1.1.1.1	192.168.2.4
Apr 2, 2025 12:13:15.001956940 CEST	53	49601	1.1.1.1	192.168.2.4
Apr 2, 2025 12:13:19.978058100 CEST	53	59169	1.1.1.1	192.168.2.4
Apr 2, 2025 12:13:21.264847040 CEST	138	138	192.168.2.4	192.168.2.255
Apr 2, 2025 12:13:46.608915091 CEST	53	51534	1.1.1.1	192.168.2.4
Apr 2, 2025 12:14:30.304548025 CEST	53	50601	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 2, 2025 12:12:19.087486982 CEST	192.168.2.4	1.1.1.1	0xd8d	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:12:19.087707043 CEST	192.168.2.4	1.1.1.1	0xbbf4	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 2, 2025 12:12:05.611018896 CEST	1.1.1.1	192.168.2.4	0xd00	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 2, 2025 12:12:05.611018896 CEST	1.1.1.1	192.168.2.4	0xd00	No error (0)	pki-goog.l.google.com		142.250.65.195	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:12:07.234463930 CEST	1.1.1.1	192.168.2.4	0x3c52	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:12:07.234463930 CEST	1.1.1.1	192.168.2.4	0x3c52	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 2, 2025 12:12:19.221096992 CEST	1.1.1.1	192.168.2.4	0xbbf4	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 2, 2025 12:12:19.231348991 CEST	1.1.1.1	192.168.2.4	0xd8d	No error (0)	www.google.com		142.251.40.100	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5872, Parent PID: 3492

Function Logs

General

Target ID:	1
Start time:	06:12:08
Start date:	02/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

COM Activities

WMI Operations

Show Windows behavior

Process Activities

Process Created

Process Terminated

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5668, Parent PID: 5872

Function Logs

General

Target ID:	2
Start time:	06:12:13
Start date:	02/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2496,i,9687974529374164150,7302012809696030839,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2524 /prefetch:3
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6844, Parent PID: 3492

Function Logs

General

Target ID:	4
Start time:	06:12:19
Start date:	02/04/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Revolt.bat"
Imagebase:	0x7ff786830000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Revolt.bat

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5872, Parent PID: 3492

General

File Activities

File Opened

File Created

File Deleted

File Moved

Other File Operations

Registry Activities

Key Deleted

Key Value Deleted

COM Activities

WMI Operations

Process Activities

Windows Analysis Report
Revolt.bat