revengerat | 9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7

General

Target

9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7.ps1
Size

45KB
MD5

3466fd80a243ae5b2e2581214b49d0be
SHA1

a68eb0b7f56bc5459502f83ffa55e6a783b78797
SHA256

9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7
SHA512

ca3bce0228d8ad34e90ed49207bbc3e4f906281167bf20f02e9f7aa0fe8054741578d0d98132e70417913ffc2caff4f5f710f76acd351981c6c5a4dac74ad720

Score

10^/10

revengerat client trojan

Malware Config

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

RXQLV8XYTDNHNSA

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1440 set thread context of 4760 1440 powershell.exe RegAsm.exe

description	pid	process	target process
PID 1440 set thread context of 4760	1440	powershell.exe	RegAsm.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1440 powershell.exe
1440 powershell.exe

pid	process
1440	powershell.exe
1440	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeShutdownPrivilege	3008	svchost.exe
Token: SeCreatePagefilePrivilege	3008	svchost.exe
Token: SeShutdownPrivilege	3008	svchost.exe
Token: SeCreatePagefilePrivilege	3008	svchost.exe
Token: SeShutdownPrivilege	3008	svchost.exe
Token: SeCreatePagefilePrivilege	3008	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 1440 wrote to memory of 4712	1440	powershell.exe	csc.exe
PID 1440 wrote to memory of 4712	1440	powershell.exe	csc.exe
PID 4712 wrote to memory of 1428	4712	csc.exe	cvtres.exe
PID 4712 wrote to memory of 1428	4712	csc.exe	cvtres.exe
PID 1440 wrote to memory of 4760	1440	powershell.exe	RegAsm.exe
PID 1440 wrote to memory of 4760	1440	powershell.exe	RegAsm.exe
PID 1440 wrote to memory of 4760	1440	powershell.exe	RegAsm.exe
PID 1440 wrote to memory of 4760	1440	powershell.exe	RegAsm.exe
PID 1440 wrote to memory of 4760	1440	powershell.exe	RegAsm.exe
PID 1440 wrote to memory of 4760	1440	powershell.exe	RegAsm.exe
PID 1440 wrote to memory of 4760	1440	powershell.exe	RegAsm.exe
PID 1440 wrote to memory of 4760	1440	powershell.exe	RegAsm.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\9e70c5b4e6bbfaa1f7d410b0d79aae92c23a88ce32f7b6e651bfcfeece407bf7.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltpai4re\ltpai4re.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD16.tmp" "c:\Users\Admin\AppData\Local\Temp\ltpai4re\CSC96B9FE27F70B40589AA32076DCFC3AD1.TMP"
3⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAD16.tmp
MD5
ff207b03110a0b13faf389fc4b7146db

SHA1
3273d76c9c2d6a6e5b05eb19c0f2b8e657fd43d5

SHA256
256e062b17ce10590ed6d0e64229dd9021bad39a29d6f416d78cf55c58748933

SHA512
688650273cc8a1ee1d5c4da97e900cf847ae17740d100561cf944ae0eb7ffea86a5da7c9f1bc36125de9690eae504bd3fa2e5b9d8071a8d28c01c0181f7086b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltpai4re\ltpai4re.dll
MD5
b727741ee5eac8ce904b0d1708caada5

SHA1
6509c8f854436bc5008d74e5bbf4620b00b55f95

SHA256
81724ef091f221398e2f2623b6538e3541e171f09f2897b88f2db56f76caa8a0

SHA512
c68e22238ba911dc3d57788c79d33ad9697e45ef05a995815aa4a0169502aa8d836bcef4f94b82da40d9259d9cd67cdd96539aaf397b6cb4697ae0726e94f268

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltpai4re\CSC96B9FE27F70B40589AA32076DCFC3AD1.TMP
MD5
83aba12c27f4e29287dedf5fff3dc803

SHA1
0cea272307a39115306be3edb89b693d7900694b

SHA256
e1e4eabb840f6ac30497bda8f19b47266e1c6772f434177a76c0ad0c415329f2

SHA512
33fa08fad24bec7c1180bc0533346f2d47b3bbba99e89a38de9db70e107192b6bfd0d43ca3cc20bdc4406756b3027d8021fbbb97706ebead6b825602e402bffc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltpai4re\ltpai4re.0.cs
MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltpai4re\ltpai4re.cmdline
MD5
d4b5344e6b974743ca9b9d982104bd1b

SHA1
687a3321325cd6d27afe35debc32caf2a87eb2ed

SHA256
41880aa1ac70d0c2bd9a4cd5da6e6da55d77805baf61acbbb041dc6412f7c2cc

SHA512
49cd0814cafa812519244d8d6f27be91f6da1fdfeb057c6e4b3d0b9d37a0555ea8f555d8a5568b70c37e657295f2e5cbeccb99099c816a3490fb295cb2a5c446

Download Submit
memory/1440-134-0x000002979D406000-0x000002979D408000-memory.dmp

Filesize
8KB

Download
memory/1440-130-0x000002979D4B0000-0x000002979D4D2000-memory.dmp

Filesize
136KB

Download
memory/1440-133-0x000002979D403000-0x000002979D405000-memory.dmp

Filesize
8KB

Download
memory/1440-132-0x000002979D400000-0x000002979D402000-memory.dmp

Filesize
8KB

Download
memory/1440-131-0x00007FFE67103000-0x00007FFE67105000-memory.dmp

Filesize
8KB

Download
memory/1440-135-0x000002979D9D0000-0x000002979DA46000-memory.dmp

Filesize
472KB

Download
memory/3008-146-0x00000153CA920000-0x00000153CA930000-memory.dmp

Filesize
64KB

Download
memory/3008-148-0x00000153CD030000-0x00000153CD034000-memory.dmp

Filesize
16KB

Download
memory/3008-147-0x00000153CA980000-0x00000153CA990000-memory.dmp

Filesize
64KB

Download
memory/4760-142-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/4760-145-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/4760-144-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/4760-143-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/4760-141-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads