revengerat | f24016eadd5ac1e6ce3822d0ffb92459e9455fcf15fa93703e5cddb34151ad98

General

Target

Swift MT103 & Bank Details,pdf.exe
Size

783KB
MD5

c7b6950fc14795d0c9df548d62ccbf78
SHA1

5c8bd970726639a931d011123c7dd7cb3bb91352
SHA256

f24016eadd5ac1e6ce3822d0ffb92459e9455fcf15fa93703e5cddb34151ad98
SHA512

e033ee11b5fabe72f9cbf11b9af8b701300ee4d6955ce1b6a72b25fcdcf29149e4d1d2e370a53d75a4180ece064d383f1622f141123abdeed8017e01b6c34009

Score

10^/10

revengerat billion trojan

Malware Config

Extracted

Family

revengerat

Botnet

BILLION

C2

rej.rejgroups.com:4040

Mutex

RV_MUTEX-Y6F7MMH6M66HDLJMYP6B6P

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1892 set thread context of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Swift MT103 & Bank Details,pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Swift MT103 & Bank Details,pdf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	Swift MT103 & Bank Details,pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 3832	1892	Swift MT103 & Bank Details,pdf.exe	79
PID 1892 wrote to memory of 3832	1892	Swift MT103 & Bank Details,pdf.exe	79
PID 1892 wrote to memory of 3832	1892	Swift MT103 & Bank Details,pdf.exe	79
PID 1892 wrote to memory of 2144	1892	Swift MT103 & Bank Details,pdf.exe	81
PID 1892 wrote to memory of 2144	1892	Swift MT103 & Bank Details,pdf.exe	81
PID 1892 wrote to memory of 2144	1892	Swift MT103 & Bank Details,pdf.exe	81
PID 1892 wrote to memory of 1944	1892	Swift MT103 & Bank Details,pdf.exe	84
PID 1892 wrote to memory of 1944	1892	Swift MT103 & Bank Details,pdf.exe	84
PID 1892 wrote to memory of 1944	1892	Swift MT103 & Bank Details,pdf.exe	84
PID 1892 wrote to memory of 4052	1892	Swift MT103 & Bank Details,pdf.exe	83
PID 1892 wrote to memory of 4052	1892	Swift MT103 & Bank Details,pdf.exe	83
PID 1892 wrote to memory of 4052	1892	Swift MT103 & Bank Details,pdf.exe	83
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	82

C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dquwpruzUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFE8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  - Checks processor information in registry
  PID:4032
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1892-123-0x0000000006550000-0x00000000065B6000-memory.dmp

Filesize
408KB

Download
memory/1892-124-0x0000000006700000-0x000000000671C000-memory.dmp

Filesize
112KB

Download
memory/1892-118-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/1892-119-0x0000000005850000-0x0000000005D4E000-memory.dmp

Filesize
5.0MB

Download
memory/1892-120-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1892-121-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1892-117-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/1892-114-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1892-122-0x00000000058B0000-0x00000000058CE000-memory.dmp

Filesize
120KB

Download
memory/1892-116-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/4032-127-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4032-132-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4032-134-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads