revengerat | 36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298 | Triage

Sharing

General

Target

36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298
Size

38KB
Sample

220219-kznt3sabc8
MD5

0d16eafc2062d62ca907d9173306297e
SHA1

8c276ce7589c6fe757206ba932fc8f15865869c1
SHA256

36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298
SHA512

1190ddc702ca46931a7e08aa0c0aeee59ba2f948cfc1301797e7400236f0cd30ed341fddb3f67105aafcba40b2cd710bb8244833ffdb92eb51724a4b4057b480

Score

10^/10

revengerat client trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pastebin.com/raw/8AjnXrD3

Extracted

Family

revengerat

Botnet

Client

C2

kimjoy.ddns.net:2021

Mutex

RXQLV8XYTDNHNSA

Targets

- Target
  
  36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298
- Size
  
  38KB
- MD5
  
  0d16eafc2062d62ca907d9173306297e
- SHA1
  
  8c276ce7589c6fe757206ba932fc8f15865869c1
- SHA256
  
  36884fba5e03e2bda056c5345d1e9e2af3d72860c116b0110c9a845fbeb68298
- SHA512
  
  1190ddc702ca46931a7e08aa0c0aeee59ba2f948cfc1301797e7400236f0cd30ed341fddb3f67105aafcba40b2cd710bb8244833ffdb92eb51724a4b4057b480
Score

10^/10

revengerat client trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

revengeratclienttrojan