revengerat | f24016eadd5ac1e6ce3822d0ffb92459e9455fcf15fa93703e5cddb34151ad98

General

Target

Swift MT103 & Bank Details,pdf.exe
Size

783KB
MD5

c7b6950fc14795d0c9df548d62ccbf78
SHA1

5c8bd970726639a931d011123c7dd7cb3bb91352
SHA256

f24016eadd5ac1e6ce3822d0ffb92459e9455fcf15fa93703e5cddb34151ad98
SHA512

e033ee11b5fabe72f9cbf11b9af8b701300ee4d6955ce1b6a72b25fcdcf29149e4d1d2e370a53d75a4180ece064d383f1622f141123abdeed8017e01b6c34009

Score

10^/10

revengerat billion trojan

Malware Config

Extracted

Family

revengerat

Botnet

BILLION

C2

rej.rejgroups.com:4040

Mutex

RV_MUTEX-Y6F7MMH6M66HDLJMYP6B6P

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

Swift MT103 & Bank Details,pdf.exe

description pid process target process

PID 1892 set thread context of 4032 1892 Swift MT103 & Bank Details,pdf.exe Swift MT103 & Bank Details,pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1892 set thread context of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Swift MT103 & Bank Details,pdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Swift MT103 & Bank Details,pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Swift MT103 & Bank Details,pdf.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3832 schtasks.exe

pid	process
3832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Swift MT103 & Bank Details,pdf.exe

pid	process
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe
1892	Swift MT103 & Bank Details,pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Swift MT103 & Bank Details,pdf.exe

description pid process

Token: SeDebugPrivilege 1892 Swift MT103 & Bank Details,pdf.exe

description	pid	process
Token: SeDebugPrivilege	1892	Swift MT103 & Bank Details,pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Swift MT103 & Bank Details,pdf.exe

C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dquwpruzUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFE8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  - Checks processor information in registry
  PID:4032
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift MT103 & Bank Details,pdf.exe"
  2⤵
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAFE8.tmp

MD5
5db402642753bac522e12c3364b9eff4

SHA1
031724b6127a14062366d2d94c7e00da57186b51

SHA256
d5a6551eec123f44dd9dc8fd63cd2e07c03677cd6d05ce8d00df1e5b4f5413a2

SHA512
61c04e337d5a1526faaa347f881208515b41bdd8964db5cdb5fef697d8587ac26b95e980961d48bcbc22217872f32e8331363219391ea4eabd7a18be1b4d746d

Download Submit
memory/1892-123-0x0000000006550000-0x00000000065B6000-memory.dmp

Filesize
408KB

Download
memory/1892-124-0x0000000006700000-0x000000000671C000-memory.dmp

Filesize
112KB

Download
memory/1892-118-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/1892-119-0x0000000005850000-0x0000000005D4E000-memory.dmp

Filesize
5.0MB

Download
memory/1892-120-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1892-121-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1892-117-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/1892-114-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1892-122-0x00000000058B0000-0x00000000058CE000-memory.dmp

Filesize
120KB

Download
memory/1892-116-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/3832-125-0x0000000000000000-mapping.dmp

Download
memory/4032-127-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4032-128-0x000000000040687E-mapping.dmp

Download
memory/4032-132-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4032-134-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 1892 wrote to memory of 3832	1892	Swift MT103 & Bank Details,pdf.exe	schtasks.exe
PID 1892 wrote to memory of 3832	1892	Swift MT103 & Bank Details,pdf.exe	schtasks.exe
PID 1892 wrote to memory of 3832	1892	Swift MT103 & Bank Details,pdf.exe	schtasks.exe
PID 1892 wrote to memory of 2144	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 2144	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 2144	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 1944	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 1944	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 1944	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4052	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4052	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4052	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe
PID 1892 wrote to memory of 4032	1892	Swift MT103 & Bank Details,pdf.exe	Swift MT103 & Bank Details,pdf.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads