revengerat | 05233a50ac2c427372ab8475a2f4dc5f031f87af0cc916dc824a2c66837afc4e

General

Target

MID REF. QT-MID19=11777.exe
Size

991KB
MD5

39082bcd7e25ae956fccb7e941d5256d
SHA1

8b4f9fd2198af765dcce75c0222919c638e4fa29
SHA256

05233a50ac2c427372ab8475a2f4dc5f031f87af0cc916dc824a2c66837afc4e
SHA512

dff7aba7f2e5bb65d1aa506a1f6770f4f7761aa17f28bfcdaca407b0aa7ae3b6bf0fd3599fc0dd979418313c4aa26930aec99ed89ba420811cdce9010940f41c

Score

10^/10

revengerat degrace trojan

Malware Config

Extracted

Family

revengerat

Botnet

DEGRACE

C2

77.247.110.178:5040

Mutex

RV_MUTEX-MB4S0YIGA6UFWH10GXQLHP

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

MID REF. QT-MID19=11777.exe

description pid process target process

PID 320 set thread context of 484 320 MID REF. QT-MID19=11777.exe MID REF. QT-MID19=11777.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 320 set thread context of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MID REF. QT-MID19=11777.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	MID REF. QT-MID19=11777.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CENTRALPROCESSOR\0\ProcessorNameString	MID REF. QT-MID19=11777.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1740 schtasks.exe

pid	process
1740	schtasks.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

MID REF. QT-MID19=11777.exe

description	pid	process	target process
PID 320 wrote to memory of 1740	320	MID REF. QT-MID19=11777.exe	schtasks.exe
PID 320 wrote to memory of 1740	320	MID REF. QT-MID19=11777.exe	schtasks.exe
PID 320 wrote to memory of 1740	320	MID REF. QT-MID19=11777.exe	schtasks.exe
PID 320 wrote to memory of 1740	320	MID REF. QT-MID19=11777.exe	schtasks.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe
PID 320 wrote to memory of 484	320	MID REF. QT-MID19=11777.exe	MID REF. QT-MID19=11777.exe

C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe
"C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UFyRUWFip" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA8F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe
  "C:\Users\Admin\AppData\Local\Temp\MID REF. QT-MID19=11777.exe"
  2⤵
  - Checks processor information in registry
  PID:484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCA8F.tmp

MD5
94dacda815b5754a56838f5e9bfbf339

SHA1
59bc38c70885cb3b6d33cd39ccc959617c82576c

SHA256
f87ad60bee2e4ff03d853e3833c616ee368e3c9db89e24192211b97454bf57cf

SHA512
fec64b8aa08894977f6a2b7f8f9c4493f464a08f6c0f97a3d1108773202e00b912f2416dbb455191fbd1129ba5b3c3ffe83ebda3b5e0e50a78e04651b33a891f

Download Submit
memory/320-59-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/320-61-0x00000000005E0000-0x00000000005FE000-memory.dmp

Filesize
120KB

Download
memory/320-62-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/320-63-0x00000000011F0000-0x0000000001254000-memory.dmp

Filesize
400KB

Download
memory/320-64-0x0000000000A20000-0x0000000000A39000-memory.dmp

Filesize
100KB

Download
memory/484-68-0x000000000040687E-mapping.dmp

Download
memory/484-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/484-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/484-71-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1740-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads