revengerat | f2144d80f6316ad2fc3d92b1371e6b10fc620ddf38dc3d231a307627bad15b71

General

Target

Docs draft comfirm.exe
Size

634KB
MD5

06b489cf55e5fb333ae93d27b8cfc520
SHA1

1d6657688be52c19e80bf600e669b83380418c28
SHA256

f2144d80f6316ad2fc3d92b1371e6b10fc620ddf38dc3d231a307627bad15b71
SHA512

ce4f269964a19722b29e295a5ee5cb4dac0aca5522e3bb9c82e19970a489015e20104bcd78b5f9cd47cf84aceae7b36715095a07352984158f685f8d41ff09a0

Score

10^/10

revengerat evapimp trojan

Malware Config

Extracted

Family

revengerat

Botnet

EVAPIMP

C2

canarybeachhotel.sa:2028

Mutex

RV_MUTEX-QD45QIW83Y0M3H43IAX1P6

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

Docs draft comfirm.exe

description pid process target process

PID 2204 set thread context of 4012 2204 Docs draft comfirm.exe Docs draft comfirm.exe

description	pid	process	target process
PID 2204 set thread context of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Docs draft comfirm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Docs draft comfirm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Docs draft comfirm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Docs draft comfirm.exe

pid process

2204 Docs draft comfirm.exe
2204 Docs draft comfirm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Docs draft comfirm.exe

description pid process

Token: SeDebugPrivilege 2204 Docs draft comfirm.exe

pid	process
2204	Docs draft comfirm.exe
2204	Docs draft comfirm.exe

description	pid	process
Token: SeDebugPrivilege	2204	Docs draft comfirm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Docs draft comfirm.exe

description	pid	process	target process
PID 2204 wrote to memory of 3952	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 3952	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 3952	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe
PID 2204 wrote to memory of 4012	2204	Docs draft comfirm.exe	Docs draft comfirm.exe

C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe
"C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe
  "C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe"
  2⤵
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe
  "C:\Users\Admin\AppData\Local\Temp\Docs draft comfirm.exe"
  2⤵
  - Checks processor information in registry
  PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Docs draft comfirm.exe.log

MD5
5e7bb97636a484b5a87e60373614279a

SHA1
36bfdec32eedb141a4a106d89a453326f62593ee

SHA256
12ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20

SHA512
448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56

Download Submit
memory/2204-114-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/2204-115-0x00000000027D1000-0x00000000027D2000-memory.dmp

Filesize
4KB

Download
memory/4012-117-0x000000000040687E-mapping.dmp

Download
memory/4012-116-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4012-119-0x0000000000B00000-0x0000000000BAE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing