revengerat | 3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

General

Target

3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe
Size

661KB
MD5

a302f849f03f9d0986062f4eb4032824
SHA1

15848e1df366bf37158cc70ab13f01a693a733f0
SHA256

3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d
SHA512

46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

Gerenciador de audio HD Realltek.exeWindows Explorer.exe

pid process

4312 Gerenciador de audio HD Realltek.exe
2856 Windows Explorer.exe

pid	process
4312	Gerenciador de audio HD Realltek.exe
2856	Windows Explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exeGerenciador de audio HD Realltek.exeWindows Explorer.exefondue.exefondue.exe

description	pid	process	target process
PID 2928 wrote to memory of 4312	2928	3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe	Gerenciador de audio HD Realltek.exe
PID 2928 wrote to memory of 4312	2928	3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe	Gerenciador de audio HD Realltek.exe
PID 2928 wrote to memory of 4312	2928	3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe	Gerenciador de audio HD Realltek.exe
PID 4312 wrote to memory of 4172	4312	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 4312 wrote to memory of 4172	4312	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 4312 wrote to memory of 4172	4312	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 2928 wrote to memory of 2856	2928	3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe	Windows Explorer.exe
PID 2928 wrote to memory of 2856	2928	3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe	Windows Explorer.exe
PID 2928 wrote to memory of 2856	2928	3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe	Windows Explorer.exe
PID 2856 wrote to memory of 1760	2856	Windows Explorer.exe	fondue.exe
PID 2856 wrote to memory of 1760	2856	Windows Explorer.exe	fondue.exe
PID 2856 wrote to memory of 1760	2856	Windows Explorer.exe	fondue.exe
PID 4172 wrote to memory of 1464	4172	fondue.exe	FonDUE.EXE
PID 4172 wrote to memory of 1464	4172	fondue.exe	FonDUE.EXE
PID 1760 wrote to memory of 1248	1760	fondue.exe	FonDUE.EXE
PID 1760 wrote to memory of 1248	1760	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe
"C:\Users\Admin\AppData\Local\Temp\3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
"C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads