revengerat | b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b

Analysis

max time kernel
4294208s
max time network
155s
platform
windows7_x64
resource
win7-20220223-en
submitted
09-03-2022 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe
Size

7.5MB
MD5

17808fde8c7e2d1a6f9cbdfd1c1c628c
SHA1

1f30f5c18d6fe8322fd67d311043771fffc52c61
SHA256

b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b
SHA512

637d20ad9914de591640e9e89b9099793cc40bb16e488587dd4f4b4a56c6171d268f1a55b0d889a5b83cf2fa369d5331afb2e46f7f6cea3ec4a680e123db8dcf

Score

10^/10

revengerat stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 3 IoCs

stealer

Processes:

resource	yara_rule
\Windows\SysWOW64\Folder_Guard.exe	revengerat
C:\Windows\SysWOW64\Folder_Guard.exe	revengerat
C:\Windows\SysWOW64\Folder_Guard.exe	revengerat

Executes dropped EXE 4 IoCs

Processes:

Folder_Guard.exe8766448288.exeSetup64.exe

pid process

568 Folder_Guard.exe
984 8766448288.exe
1772 Setup64.exe
1468

pid	process
568	Folder_Guard.exe
984	8766448288.exe
1772	Setup64.exe
1468

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\8766448288.exe	upx
C:\Users\Admin\AppData\Local\Temp\8766448288.exe	upx

Drops startup file 2 IoCs

Processes:

Folder_Guard.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Folder_Guard.exe	Folder_Guard.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Folder_Guard.exe	Folder_Guard.exe

Loads dropped DLL 6 IoCs

Processes:

b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exeFolder_Guard.exe8766448288.exeSetup64.exe

pid	process
1652	b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe
568	Folder_Guard.exe
984	8766448288.exe
1772	Setup64.exe
1772	Setup64.exe
1468

Drops file in System32 directory 4 IoCs

Processes:

b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exeFolder_Guard.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Folder_Guard.exe	b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe
File opened for modification	C:\Windows\SysWOW64\Folder_Guard.exe	b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe
File opened for modification	C:\Windows\SysWOW64\Folder_Guard.exe	Folder_Guard.exe
File created	C:\Windows\SysWOW64\Folder_Guard.exe	Folder_Guard.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exeFolder_Guard.exe

description	pid	process
Token: SeDebugPrivilege	1652	b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe
Token: SeDebugPrivilege	568	Folder_Guard.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exeFolder_Guard.exe8766448288.exe

description	pid	process	target process
PID 1652 wrote to memory of 568	1652	b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe	Folder_Guard.exe
PID 1652 wrote to memory of 568	1652	b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe	Folder_Guard.exe
PID 1652 wrote to memory of 568	1652	b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe	Folder_Guard.exe
PID 1652 wrote to memory of 568	1652	b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe	Folder_Guard.exe
PID 568 wrote to memory of 984	568	Folder_Guard.exe	8766448288.exe
PID 568 wrote to memory of 984	568	Folder_Guard.exe	8766448288.exe
PID 568 wrote to memory of 984	568	Folder_Guard.exe	8766448288.exe
PID 568 wrote to memory of 984	568	Folder_Guard.exe	8766448288.exe
PID 568 wrote to memory of 984	568	Folder_Guard.exe	8766448288.exe
PID 568 wrote to memory of 984	568	Folder_Guard.exe	8766448288.exe
PID 568 wrote to memory of 984	568	Folder_Guard.exe	8766448288.exe
PID 984 wrote to memory of 1772	984	8766448288.exe	Setup64.exe
PID 984 wrote to memory of 1772	984	8766448288.exe	Setup64.exe
PID 984 wrote to memory of 1772	984	8766448288.exe	Setup64.exe
PID 984 wrote to memory of 1772	984	8766448288.exe	Setup64.exe

C:\Users\Admin\AppData\Local\Temp\b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe
"C:\Users\Admin\AppData\Local\Temp\b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\Folder_Guard.exe
  "C:\Windows\system32\Folder_Guard.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Users\Admin\AppData\Local\Temp\8766448288.exe
    "C:\Users\Admin\AppData\Local\Temp\8766448288.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:984
  - - C:\Users\Admin\AppData\Local\Temp\~FG.TMP\Setup64.exe
      "C:\Users\Admin\AppData\Local\Temp\~FG.TMP\Setup64.exe" /SFX:"C:\Users\Admin\AppData\Local\Temp\8766448288.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8766448288.exe

MD5
ba64b2c3702c15f7c9c5a3fc36e6d7b4

SHA1
805a0eab1c42d62efb2a2c568c36cb06ae9c928e

SHA256
1f912023b9769e0d918b9a98b951fa601cd2448121423ae4c9afc71d2972bb71

SHA512
d204a96d9f1ecc6f0193c01debf8e0e0c5187b904923734f6291144a226dc893b9f9db38c19acebac4a81504521d7db46cfe373c41af7322ad6947e84e8a2a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\~FG.TMP\FGH64.dll

MD5
17c4f0c1ea99f55ca37a39076d80aff3

SHA1
1ef9f765b2e03fb41781c2c7b9bcf0f5aad39271

SHA256
2bd7c9a62d87f6406f84b4844bde30e330c4729ba0e58efc704366504c2b90a5

SHA512
e8473c5c9ceb9be5e4c0eaf9be8d26d7c1aa77b5eaaeb8f29c98e94c77fb1f25bd47ca21b78f21211db558b8cd5a1c3df99991c0544c483718a80bf5a15c6d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\~FG.TMP\FGuard64.dll

MD5
af2d965ceb87033a140d7e1655a09bc3

SHA1
d42ef8db0d7530a74e4789e5967b7e70e902541e

SHA256
5a6dfadacc088d79ed751514b48870671023c660a6d5b9a40d91c6317e12fbff

SHA512
d5aaf891a8accf94498042e7ecd79c739457ef2926fb1ee5d842d0207580239c1973d8f4beb8c51b4a3578088143f1b856bec930f0b37ba996ccb895d26d93ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\~FG.TMP\Setup64.exe

MD5
5a83e8b49606719bc4722fe9a22f5204

SHA1
39d14e790e573cb710b4074519c702b532baa02f

SHA256
4c7245c283508cdda9d59c4d16504d30821168fef7ce0af3bcb50fa07e6af062

SHA512
885529841feffdd48fb978e97a2cb2560c06cf82f27428dfe370472c601a26c694e74f022976180b1bcd96a0044d5fcd231d66293773ea7e5624ea89827cbdb5

Download Submit
C:\Windows\SysWOW64\Folder_Guard.exe

MD5
17808fde8c7e2d1a6f9cbdfd1c1c628c

SHA1
1f30f5c18d6fe8322fd67d311043771fffc52c61

SHA256
b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b

SHA512
637d20ad9914de591640e9e89b9099793cc40bb16e488587dd4f4b4a56c6171d268f1a55b0d889a5b83cf2fa369d5331afb2e46f7f6cea3ec4a680e123db8dcf

Download Submit
C:\Windows\SysWOW64\Folder_Guard.exe

MD5
17808fde8c7e2d1a6f9cbdfd1c1c628c

SHA1
1f30f5c18d6fe8322fd67d311043771fffc52c61

SHA256
b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b

SHA512
637d20ad9914de591640e9e89b9099793cc40bb16e488587dd4f4b4a56c6171d268f1a55b0d889a5b83cf2fa369d5331afb2e46f7f6cea3ec4a680e123db8dcf

Download Submit
\Users\Admin\AppData\Local\Temp\8766448288.exe

MD5
ba64b2c3702c15f7c9c5a3fc36e6d7b4

SHA1
805a0eab1c42d62efb2a2c568c36cb06ae9c928e

SHA256
1f912023b9769e0d918b9a98b951fa601cd2448121423ae4c9afc71d2972bb71

SHA512
d204a96d9f1ecc6f0193c01debf8e0e0c5187b904923734f6291144a226dc893b9f9db38c19acebac4a81504521d7db46cfe373c41af7322ad6947e84e8a2a08

Download Submit
\Users\Admin\AppData\Local\Temp\~FG.TMP\FGH64.dll

MD5
17c4f0c1ea99f55ca37a39076d80aff3

SHA1
1ef9f765b2e03fb41781c2c7b9bcf0f5aad39271

SHA256
2bd7c9a62d87f6406f84b4844bde30e330c4729ba0e58efc704366504c2b90a5

SHA512
e8473c5c9ceb9be5e4c0eaf9be8d26d7c1aa77b5eaaeb8f29c98e94c77fb1f25bd47ca21b78f21211db558b8cd5a1c3df99991c0544c483718a80bf5a15c6d87

Download Submit
\Users\Admin\AppData\Local\Temp\~FG.TMP\FGUARD64.dll

MD5
af2d965ceb87033a140d7e1655a09bc3

SHA1
d42ef8db0d7530a74e4789e5967b7e70e902541e

SHA256
5a6dfadacc088d79ed751514b48870671023c660a6d5b9a40d91c6317e12fbff

SHA512
d5aaf891a8accf94498042e7ecd79c739457ef2926fb1ee5d842d0207580239c1973d8f4beb8c51b4a3578088143f1b856bec930f0b37ba996ccb895d26d93ad

Download Submit
\Users\Admin\AppData\Local\Temp\~FG.TMP\Setup64.exe

MD5
5a83e8b49606719bc4722fe9a22f5204

SHA1
39d14e790e573cb710b4074519c702b532baa02f

SHA256
4c7245c283508cdda9d59c4d16504d30821168fef7ce0af3bcb50fa07e6af062

SHA512
885529841feffdd48fb978e97a2cb2560c06cf82f27428dfe370472c601a26c694e74f022976180b1bcd96a0044d5fcd231d66293773ea7e5624ea89827cbdb5

Download Submit
\Users\Admin\AppData\Local\Temp\~FG.TMP\Setup64.exe

MD5
5a83e8b49606719bc4722fe9a22f5204

SHA1
39d14e790e573cb710b4074519c702b532baa02f

SHA256
4c7245c283508cdda9d59c4d16504d30821168fef7ce0af3bcb50fa07e6af062

SHA512
885529841feffdd48fb978e97a2cb2560c06cf82f27428dfe370472c601a26c694e74f022976180b1bcd96a0044d5fcd231d66293773ea7e5624ea89827cbdb5

Download Submit
\Users\Admin\AppData\Local\Temp\~FG.TMP\Setup64.exe

MD5
5a83e8b49606719bc4722fe9a22f5204

SHA1
39d14e790e573cb710b4074519c702b532baa02f

SHA256
4c7245c283508cdda9d59c4d16504d30821168fef7ce0af3bcb50fa07e6af062

SHA512
885529841feffdd48fb978e97a2cb2560c06cf82f27428dfe370472c601a26c694e74f022976180b1bcd96a0044d5fcd231d66293773ea7e5624ea89827cbdb5

Download Submit
\Windows\SysWOW64\Folder_Guard.exe

MD5
17808fde8c7e2d1a6f9cbdfd1c1c628c

SHA1
1f30f5c18d6fe8322fd67d311043771fffc52c61

SHA256
b3da01b83eb9ba4fc8a3fa2996dfbdc1bb185709b6998d72dd59490b1040d53b

SHA512
637d20ad9914de591640e9e89b9099793cc40bb16e488587dd4f4b4a56c6171d268f1a55b0d889a5b83cf2fa369d5331afb2e46f7f6cea3ec4a680e123db8dcf

Download Submit
memory/568-61-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/568-62-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1652-56-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1652-55-0x0000000074E40000-0x00000000753EB000-memory.dmp

Filesize
5.7MB

Download
memory/1652-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1772-72-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download