revengerat | acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595

General

Target

file.exe
Size

17KB
MD5

af48897e401a79baf8086585c18cf8fe
SHA1

44e9a2699d07cbba45493000287ab5dfbe86df77
SHA256

acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595
SHA512

c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

tzii.myq-see.com:888

Mutex

RV_MUTEX-IUnoWrUUgHRHXJv

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

IMD.exe

pid process

916 IMD.exe
Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imd.exe vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file.exeIMD.exe

description pid process

Token: SeDebugPrivilege 1756 file.exe
Token: SeDebugPrivilege 916 IMD.exe

pid	process
916	IMD.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imd.exe	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1756	file.exe
Token: SeDebugPrivilege	916	IMD.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

file.exeIMD.exevbc.exe

description	pid	process	target process
PID 1756 wrote to memory of 916	1756	file.exe	IMD.exe
PID 1756 wrote to memory of 916	1756	file.exe	IMD.exe
PID 1756 wrote to memory of 916	1756	file.exe	IMD.exe
PID 916 wrote to memory of 272	916	IMD.exe	vbc.exe
PID 916 wrote to memory of 272	916	IMD.exe	vbc.exe
PID 916 wrote to memory of 272	916	IMD.exe	vbc.exe
PID 272 wrote to memory of 1084	272	vbc.exe	cvtres.exe
PID 272 wrote to memory of 1084	272	vbc.exe	cvtres.exe
PID 272 wrote to memory of 1084	272	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k7lp0rdk.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D55.tmp"
4⤵
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4D66.tmp
MD5
4c7cd9b373e75dd95527a9fe5a3f7863

SHA1
a347be70e545185a2af2accdd9658a971c3d5de1

SHA256
9d9867b8daa1b66e63fb76c617d4476b2baafef91fee7f4cc6c47d1b51b63895

SHA512
fd4ad11b4a5e6bbf46585cbd05af3c80ee78a342cdcc28974d4c9807c060e3170bfefa4f325571b938c62befc4317917f505b5977e07df047dc918a837083679

Download Submit
C:\Users\Admin\AppData\Local\Temp\k7lp0rdk.0.vb
MD5
766a80b102cc61cdfdef05f5d41ecf49

SHA1
8fc5687cf17d514917cb83ecb78a319b64c2017f

SHA256
70b93e450b765949ac432258843141724da8f4979079e124aa80f0f9f1e4e14e

SHA512
975aead67d67998e892f7e446d3b86b014f89a0aba3aecc77d596f56eef2f45c8b7c1cc161e7a6c911b07074391a8cb74dae50d61d6dd8905866d83730a10003

Download Submit
C:\Users\Admin\AppData\Local\Temp\k7lp0rdk.cmdline
MD5
56e2c0fee1f978cada52d1ecffdb3857

SHA1
55ad8c7fa24666eb3201e05cd9e013681a441f89

SHA256
797c63f82402c6eb42dfa122b05eb797fd801c74e0a25c830da5f2f046ec5f61

SHA512
7fa6274fa254ac178b5c26d0c0da764ee279218655511940bf2621acbe83b5373573d1215997b554ab1b55cf738f2f3ed69caf7ba616140047623822664fb50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D55.tmp
MD5
f4204a25f9fd3b86c1af2514bee21827

SHA1
f8ba207bc7b2cc6b0f5f5d43284019f78ca72e68

SHA256
38aa7f22bdb395980c540ec2057562e5678607f8c573c82a68c074d3445b3fc4

SHA512
240a811734eecc6c48ebcbf6f39b4afc1d3398e248ba7062f2eba2b2e44a9d28a526aeef40dff833e2eaed286209668d926e50fd1b9f3b4e5bd2704c938733d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe
MD5
af48897e401a79baf8086585c18cf8fe

SHA1
44e9a2699d07cbba45493000287ab5dfbe86df77

SHA256
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595

SHA512
c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe
MD5
af48897e401a79baf8086585c18cf8fe

SHA1
44e9a2699d07cbba45493000287ab5dfbe86df77

SHA256
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595

SHA512
c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1

Download Submit
memory/272-7-0x0000000000000000-mapping.dmp

Download
memory/916-5-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/916-6-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/916-2-0x0000000000000000-mapping.dmp

Download
memory/1084-10-0x0000000000000000-mapping.dmp

Download
memory/1756-0-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download
memory/1756-1-0x000007FEF6070000-0x000007FEF6A0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing