revengerat | ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454

Analysis

max time kernel
149s
max time network
102s
platform
windows10_x64
resource
win10v20201028
submitted
20-11-2020 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

renekton2‮GPJ..exe
Size

20KB
MD5

126bd8afd4b7c1ad5676e489e7463511
SHA1

f08b87f487d7ea75a97ac10a7d995b5e83187f72
SHA256

ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454
SHA512

71a541dcf831a8d0b684356e777beb95dfe838d71c781b92c7128691cd5f9418c30340511891239500e60f2feeed3bb383adc0b212b97a37b40cff9af814bf06

Score

10^/10

revengerat client stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

127.0.0.1:333

127.0.0.1:37337

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 9 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2108-1-0x0000000000400000-0x000000000040A000-memory.dmp	revengerat
behavioral2/memory/2108-2-0x0000000000406D2E-mapping.dmp	revengerat
C:\Users\Admin\AppData\Roaming\teamviewer.exe	revengerat
C:\Users\Admin\AppData\Roaming\teamviewer.exe	revengerat
behavioral2/memory/1180-22-0x0000000000406D2E-mapping.dmp	revengerat
C:\Users\Admin\AppData\Roaming\teamviewer.exe	revengerat
behavioral2/memory/2924-40-0x0000000000406D2E-mapping.dmp	revengerat
C:\Users\Admin\AppData\Roaming\teamviewer.exe	revengerat
behavioral2/memory/4016-57-0x0000000000406D2E-mapping.dmp	revengerat

Executes dropped EXE 3 IoCs

Processes:

teamviewer.exeteamviewer.exeteamviewer.exe

pid process

840 teamviewer.exe
2580 teamviewer.exe
4504 teamviewer.exe

pid	process
840	teamviewer.exe
2580	teamviewer.exe
4504	teamviewer.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

renekton2‮GPJ..exeRegSvcs.exeteamviewer.exeRegSvcs.exeteamviewer.exeRegSvcs.exeteamviewer.exeRegSvcs.exe

description	pid	process	target process
PID 4756 set thread context of 2108	4756	renekton2‮GPJ..exe	RegSvcs.exe
PID 2108 set thread context of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 840 set thread context of 1180	840	teamviewer.exe	RegSvcs.exe
PID 1180 set thread context of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 2580 set thread context of 2924	2580	teamviewer.exe	RegSvcs.exe
PID 2924 set thread context of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 4504 set thread context of 4016	4504	teamviewer.exe	RegSvcs.exe
PID 4016 set thread context of 4556	4016	RegSvcs.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2296 schtasks.exe

pid	process
2296	schtasks.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

renekton2‮GPJ..exeRegSvcs.exeteamviewer.exeRegSvcs.exeteamviewer.exeRegSvcs.exeteamviewer.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4756	renekton2‮GPJ..exe
Token: SeDebugPrivilege	2108	RegSvcs.exe
Token: SeDebugPrivilege	840	teamviewer.exe
Token: SeDebugPrivilege	1180	RegSvcs.exe
Token: SeDebugPrivilege	2580	teamviewer.exe
Token: SeDebugPrivilege	2924	RegSvcs.exe
Token: SeDebugPrivilege	4504	teamviewer.exe
Token: SeDebugPrivilege	4016	RegSvcs.exe

Suspicious use of WriteProcessMemory 65 IoCs

Processes:

renekton2‮GPJ..exeRegSvcs.exeteamviewer.exeRegSvcs.exeteamviewer.exeRegSvcs.exeteamviewer.exeRegSvcs.exe

description	pid	process	target process
PID 4756 wrote to memory of 2108	4756	renekton2‮GPJ..exe	RegSvcs.exe
PID 4756 wrote to memory of 2108	4756	renekton2‮GPJ..exe	RegSvcs.exe
PID 4756 wrote to memory of 2108	4756	renekton2‮GPJ..exe	RegSvcs.exe
PID 4756 wrote to memory of 2108	4756	renekton2‮GPJ..exe	RegSvcs.exe
PID 4756 wrote to memory of 2108	4756	renekton2‮GPJ..exe	RegSvcs.exe
PID 4756 wrote to memory of 2108	4756	renekton2‮GPJ..exe	RegSvcs.exe
PID 4756 wrote to memory of 2108	4756	renekton2‮GPJ..exe	RegSvcs.exe
PID 2108 wrote to memory of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 2108 wrote to memory of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 2108 wrote to memory of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 2108 wrote to memory of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 2108 wrote to memory of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 2108 wrote to memory of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 2108 wrote to memory of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 2108 wrote to memory of 4260	2108	RegSvcs.exe	RegSvcs.exe
PID 2108 wrote to memory of 840	2108	RegSvcs.exe	teamviewer.exe
PID 2108 wrote to memory of 840	2108	RegSvcs.exe	teamviewer.exe
PID 840 wrote to memory of 1180	840	teamviewer.exe	RegSvcs.exe
PID 840 wrote to memory of 1180	840	teamviewer.exe	RegSvcs.exe
PID 840 wrote to memory of 1180	840	teamviewer.exe	RegSvcs.exe
PID 840 wrote to memory of 1180	840	teamviewer.exe	RegSvcs.exe
PID 840 wrote to memory of 1180	840	teamviewer.exe	RegSvcs.exe
PID 840 wrote to memory of 1180	840	teamviewer.exe	RegSvcs.exe
PID 840 wrote to memory of 1180	840	teamviewer.exe	RegSvcs.exe
PID 1180 wrote to memory of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 1180 wrote to memory of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 1180 wrote to memory of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 1180 wrote to memory of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 1180 wrote to memory of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 1180 wrote to memory of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 1180 wrote to memory of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 1180 wrote to memory of 1392	1180	RegSvcs.exe	RegSvcs.exe
PID 1180 wrote to memory of 2296	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 2296	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 2296	1180	RegSvcs.exe	schtasks.exe
PID 2580 wrote to memory of 2924	2580	teamviewer.exe	RegSvcs.exe
PID 2580 wrote to memory of 2924	2580	teamviewer.exe	RegSvcs.exe
PID 2580 wrote to memory of 2924	2580	teamviewer.exe	RegSvcs.exe
PID 2580 wrote to memory of 2924	2580	teamviewer.exe	RegSvcs.exe
PID 2580 wrote to memory of 2924	2580	teamviewer.exe	RegSvcs.exe
PID 2580 wrote to memory of 2924	2580	teamviewer.exe	RegSvcs.exe
PID 2580 wrote to memory of 2924	2580	teamviewer.exe	RegSvcs.exe
PID 2924 wrote to memory of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 2924 wrote to memory of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 2924 wrote to memory of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 2924 wrote to memory of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 2924 wrote to memory of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 2924 wrote to memory of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 2924 wrote to memory of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 2924 wrote to memory of 4396	2924	RegSvcs.exe	RegSvcs.exe
PID 4504 wrote to memory of 4016	4504	teamviewer.exe	RegSvcs.exe
PID 4504 wrote to memory of 4016	4504	teamviewer.exe	RegSvcs.exe
PID 4504 wrote to memory of 4016	4504	teamviewer.exe	RegSvcs.exe
PID 4504 wrote to memory of 4016	4504	teamviewer.exe	RegSvcs.exe
PID 4504 wrote to memory of 4016	4504	teamviewer.exe	RegSvcs.exe
PID 4504 wrote to memory of 4016	4504	teamviewer.exe	RegSvcs.exe
PID 4504 wrote to memory of 4016	4504	teamviewer.exe	RegSvcs.exe
PID 4016 wrote to memory of 4556	4016	RegSvcs.exe	RegSvcs.exe
PID 4016 wrote to memory of 4556	4016	RegSvcs.exe	RegSvcs.exe
PID 4016 wrote to memory of 4556	4016	RegSvcs.exe	RegSvcs.exe
PID 4016 wrote to memory of 4556	4016	RegSvcs.exe	RegSvcs.exe
PID 4016 wrote to memory of 4556	4016	RegSvcs.exe	RegSvcs.exe
PID 4016 wrote to memory of 4556	4016	RegSvcs.exe	RegSvcs.exe
PID 4016 wrote to memory of 4556	4016	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\renekton2‮GPJ..exe
"C:\Users\Admin\AppData\Local\Temp\renekton2‮GPJ..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4260

C:\Users\Admin\AppData\Roaming\teamviewer.exe
"C:\Users\Admin\AppData\Roaming\teamviewer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1392

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "teamviewer" /tr "C:\Users\Admin\AppData\Roaming\teamviewer.exe"
5⤵
- Creates scheduled task(s)
PID:2296

C:\Users\Admin\AppData\Roaming\teamviewer.exe
C:\Users\Admin\AppData\Roaming\teamviewer.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4396

C:\Users\Admin\AppData\Roaming\teamviewer.exe
C:\Users\Admin\AppData\Roaming\teamviewer.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
MD5
8c0458bb9ea02d50565175e38d577e35

SHA1
f0b50702cd6470f3c17d637908f83212fdbdb2f2

SHA256
c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

SHA512
804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGGjjtnx.txt
MD5
1708261ead079f22b92958d5f1a0a327

SHA1
1777e7861423863325a313e0654d82e161439544

SHA256
6c8cbff26aaf9e2cb9d9c633d0ef45cf8604456f5661720b8b5cbf3b115ed77c

SHA512
76f044cee4a1b1090a769a993f859e1379c5f9508d35463dbfc598a78b3d318bc55f2e3160d3b8a2c13833e1b9eaea6974567081dc279af63f0bda993d1398d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGGjjtnx.txt
MD5
01c97a9ee076601d1c5420a013bf3230

SHA1
125b4e7f4ea862a632a929ae6c95688f46ddb5d0

SHA256
1eaede495cd8133b36ee2667cbd47b070aa59fd4fdb1e7e8b54f341f86193f94

SHA512
730854ebb294edf1f10a20150962a6df58b9fdfef498f40aa3c4909b8ed54e3bf292cc2826dd3fc83cd792ffe005a50290af6d94e22b5fbeba10d6f674f17238

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGGjjtnx.txt
MD5
01c97a9ee076601d1c5420a013bf3230

SHA1
125b4e7f4ea862a632a929ae6c95688f46ddb5d0

SHA256
1eaede495cd8133b36ee2667cbd47b070aa59fd4fdb1e7e8b54f341f86193f94

SHA512
730854ebb294edf1f10a20150962a6df58b9fdfef498f40aa3c4909b8ed54e3bf292cc2826dd3fc83cd792ffe005a50290af6d94e22b5fbeba10d6f674f17238

Download Submit
C:\Users\Admin\AppData\Local\Temp\WGGjjtnx.txt
MD5
01c97a9ee076601d1c5420a013bf3230

SHA1
125b4e7f4ea862a632a929ae6c95688f46ddb5d0

SHA256
1eaede495cd8133b36ee2667cbd47b070aa59fd4fdb1e7e8b54f341f86193f94

SHA512
730854ebb294edf1f10a20150962a6df58b9fdfef498f40aa3c4909b8ed54e3bf292cc2826dd3fc83cd792ffe005a50290af6d94e22b5fbeba10d6f674f17238

Download Submit
C:\Users\Admin\AppData\Roaming\teamviewer.exe
MD5
126bd8afd4b7c1ad5676e489e7463511

SHA1
f08b87f487d7ea75a97ac10a7d995b5e83187f72

SHA256
ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454

SHA512
71a541dcf831a8d0b684356e777beb95dfe838d71c781b92c7128691cd5f9418c30340511891239500e60f2feeed3bb383adc0b212b97a37b40cff9af814bf06

Download Submit
C:\Users\Admin\AppData\Roaming\teamviewer.exe
MD5
126bd8afd4b7c1ad5676e489e7463511

SHA1
f08b87f487d7ea75a97ac10a7d995b5e83187f72

SHA256
ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454

SHA512
71a541dcf831a8d0b684356e777beb95dfe838d71c781b92c7128691cd5f9418c30340511891239500e60f2feeed3bb383adc0b212b97a37b40cff9af814bf06

Download Submit
C:\Users\Admin\AppData\Roaming\teamviewer.exe
MD5
126bd8afd4b7c1ad5676e489e7463511

SHA1
f08b87f487d7ea75a97ac10a7d995b5e83187f72

SHA256
ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454

SHA512
71a541dcf831a8d0b684356e777beb95dfe838d71c781b92c7128691cd5f9418c30340511891239500e60f2feeed3bb383adc0b212b97a37b40cff9af814bf06

Download Submit
C:\Users\Admin\AppData\Roaming\teamviewer.exe
MD5
126bd8afd4b7c1ad5676e489e7463511

SHA1
f08b87f487d7ea75a97ac10a7d995b5e83187f72

SHA256
ca58619fd5de06d3b93040f7c7436887d73bfd11f5d8abc6abaa07fb35fbc454

SHA512
71a541dcf831a8d0b684356e777beb95dfe838d71c781b92c7128691cd5f9418c30340511891239500e60f2feeed3bb383adc0b212b97a37b40cff9af814bf06

Download Submit
memory/840-20-0x00007FFAEE830000-0x00007FFAEF1D0000-memory.dmp

Filesize
9.6MB

Download
memory/840-16-0x0000000000000000-mapping.dmp

Download
memory/1180-22-0x0000000000406D2E-mapping.dmp

Download
memory/1180-23-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/1392-32-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/1392-35-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/1392-30-0x0000000000408356-mapping.dmp

Download
memory/2108-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2108-2-0x0000000000406D2E-mapping.dmp

Download
memory/2108-3-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/2108-6-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2108-8-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/2108-7-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/2296-36-0x0000000000000000-mapping.dmp

Download
memory/2580-38-0x00007FFAEE830000-0x00007FFAEF1D0000-memory.dmp

Filesize
9.6MB

Download
memory/2924-41-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-40-0x0000000000406D2E-mapping.dmp

Download
memory/4016-58-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4016-57-0x0000000000406D2E-mapping.dmp

Download
memory/4260-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4260-15-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/4260-10-0x0000000000408356-mapping.dmp

Download
memory/4260-12-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4260-14-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/4396-48-0x0000000000408356-mapping.dmp

Download
memory/4396-50-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4504-55-0x00007FFAEE830000-0x00007FFAEF1D0000-memory.dmp

Filesize
9.6MB

Download
memory/4556-65-0x0000000000408356-mapping.dmp

Download
memory/4556-67-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4756-0-0x00007FFAEE830000-0x00007FFAEF1D0000-memory.dmp

Filesize
9.6MB

Download