revengerat | f24016eadd5ac1e6ce3822d0ffb92459e9455fcf15fa93703e5cddb34151ad98

General

Target

Swift MT103 & Bank Details,pdf.exe
Size

783KB
MD5

c7b6950fc14795d0c9df548d62ccbf78
SHA1

5c8bd970726639a931d011123c7dd7cb3bb91352
SHA256

f24016eadd5ac1e6ce3822d0ffb92459e9455fcf15fa93703e5cddb34151ad98
SHA512

e033ee11b5fabe72f9cbf11b9af8b701300ee4d6955ce1b6a72b25fcdcf29149e4d1d2e370a53d75a4180ece064d383f1622f141123abdeed8017e01b6c34009

Score

10^/10

revengerat billion trojan

Malware Config

Extracted

Family

revengerat

Botnet

BILLION

C2

rej.rejgroups.com:4040

Mutex

RV_MUTEX-Y6F7MMH6M66HDLJMYP6B6P

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

Swift MT103 & Bank Details,pdf.exe

description pid process target process

PID 360 set thread context of 1548 360 Swift MT103 & Bank Details,pdf.exe Swift MT103 & Bank Details,pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 360 set thread context of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Swift MT103 & Bank Details,pdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Swift MT103 & Bank Details,pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\ProcessorNameString	Swift MT103 & Bank Details,pdf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

732 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Swift MT103 & Bank Details,pdf.exe

description pid process

Token: SeDebugPrivilege 360 Swift MT103 & Bank Details,pdf.exe

pid	process
732	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	360	Swift MT103 & Bank Details,pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Swift MT103 & Bank Details,pdf.exe

description	pid	process	target process
PID 360 wrote to memory of 732	360	Swift MT103 & Bank Details,pdf.exe	schtasks.exe
PID 360 wrote to memory of 732	360	Swift MT103 & Bank Details,pdf.exe	schtasks.exe
PID 360 wrote to memory of 732	360	Swift MT103 & Bank Details,pdf.exe	schtasks.exe
PID 360 wrote to memory of 732	360	Swift MT103 & Bank Details,pdf.exe	schtasks.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 360 wrote to memory of 1548	360	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe

C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dquwpruzUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBEC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:732
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  - Checks processor information in registry
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFBEC.tmp

MD5
97613dd2e0236c537a6506b531c8cf22

SHA1
5e5947523cbd2a7efa41a1e526bea38eb8bb9753

SHA256
9f7eeb679c70bd300ccfa01b8f52fee7fc6e9e7255dafec3881c6c67db83a478

SHA512
4983c0676491ec7dbc036f51853e22654cb381dfa52949b446918ced57a165c0e490118f308cd8958e77f23de9e8fd3a0635c3dcfb79491a966b80b07cffd3ee

Download Submit
memory/360-59-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/732-60-0x0000000000000000-mapping.dmp

Download
memory/1548-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1548-63-0x000000000040687E-mapping.dmp

Download
memory/1548-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1548-66-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads