revengerat | 14a8b1172f7f0d8cf9bc6fe3aa20f1700170b7e3ea280e85659a72099333e561 | Triage

Sharing

General

Target

14a8b1172f7f0d8cf9bc6fe3aa20f1700170b7e3ea280e85659a72099333e561
Size

74KB
Sample

220219-k3lh5abcak
MD5

590f345e2c9714dabfb2944aa79e7c5f
SHA1

44050c1021c42197d9ce085d7cec9a395d4a9fcc
SHA256

14a8b1172f7f0d8cf9bc6fe3aa20f1700170b7e3ea280e85659a72099333e561
SHA512

c5c65ffc313dca8ce9aa82ee873847787ca0c725f240c2a83aac2328cca6450a5df4b57ee08419f87dd06370e811d6b70f7225800fc94311075670f7c1f9244f

Score

10^/10

revengerat client trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/qZMWnhpc

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

RXQLV8XYTDNHNSA

Targets

- Target
  
  14a8b1172f7f0d8cf9bc6fe3aa20f1700170b7e3ea280e85659a72099333e561
- Size
  
  74KB
- MD5
  
  590f345e2c9714dabfb2944aa79e7c5f
- SHA1
  
  44050c1021c42197d9ce085d7cec9a395d4a9fcc
- SHA256
  
  14a8b1172f7f0d8cf9bc6fe3aa20f1700170b7e3ea280e85659a72099333e561
- SHA512
  
  c5c65ffc313dca8ce9aa82ee873847787ca0c725f240c2a83aac2328cca6450a5df4b57ee08419f87dd06370e811d6b70f7225800fc94311075670f7c1f9244f
Score

10^/10

revengerat client trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

revengeratclienttrojan