revengerat | e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937

Analysis

Target

e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937.exe
Size

15KB
MD5

b8448486361127d19646cd0a420ba047
SHA1

5e50e5c076e3b0843afaf038a3dec777a6e84759
SHA256

e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937
SHA512

caff3217b5563176f787bef7bb8864e67189b0ad0eda4f10f2d0e0ee18b966816f62f95f8b1c9ddd238bfa2f94b545c577c5e8b52f58d729eb7ca107f9b50494

Score

10^/10

Family

revengerat

Botnet

Client

bodmas01.zapto.org:7975

Mutex

SXDWCX2QPFGVQS2

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	3788	svchost.exe
Token: SeCreatePagefilePrivilege	3788	svchost.exe
Token: SeShutdownPrivilege	3788	svchost.exe
Token: SeCreatePagefilePrivilege	3788	svchost.exe
Token: SeShutdownPrivilege	3788	svchost.exe
Token: SeCreatePagefilePrivilege	3788	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937.exe
"C:\Users\Admin\AppData\Local\Temp\e38f7a1882ac64fab611b3be73fda7eece5fb9a6ea131b36985aa60a0988e937.exe"
1⤵
PID:3052

memory/3052-130-0x00007FFCDDA13000-0x00007FFCDDA15000-memory.dmp

Filesize
8KB

Download
memory/3052-131-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/3052-132-0x000000001BC40000-0x000000001BC42000-memory.dmp

Filesize
8KB

Download
memory/3788-133-0x0000020DE8020000-0x0000020DE8030000-memory.dmp

Filesize
64KB

Download
memory/3788-134-0x0000020DE8080000-0x0000020DE8090000-memory.dmp

Filesize
64KB

Download
memory/3788-135-0x0000020DEA740000-0x0000020DEA744000-memory.dmp

Filesize
16KB

Download