revengerat | aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e

General

Target

aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
Size

6.6MB
MD5

dc70508f10ea72c1ad810c72b179bf28
SHA1

5c7ef633b20ad47c1a9967a181ebf42a5094c07d
SHA256

aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e
SHA512

8dc1d9ef4c4b9b4fef91c55734a0e813b1a8a4582fab36b7b52c3b2c0d217a25dce3dbc1d364d438766c1fa8fc1f64498c2f779848a5208f2ea7ce06ed43f06b

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat

Executes dropped EXE 4 IoCs

Processes:

1.exeGerenciador de audio HD Realltek.exeWindows Explorer.exe2.exe

pid process

2080 1.exe
3148 Gerenciador de audio HD Realltek.exe
4628 Windows Explorer.exe
3852 2.exe

pid	process
2080	1.exe
3148	Gerenciador de audio HD Realltek.exe
4628	Windows Explorer.exe
3852	2.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2.exe

description pid process

Token: SeDebugPrivilege 3852 2.exe

description	pid	process
Token: SeDebugPrivilege	3852	2.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe1.exeGerenciador de audio HD Realltek.exeWindows Explorer.exefondue.exefondue.exe2.exe

description	pid	process	target process
PID 3164 wrote to memory of 2080	3164	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	1.exe
PID 3164 wrote to memory of 2080	3164	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	1.exe
PID 3164 wrote to memory of 2080	3164	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	1.exe
PID 3164 wrote to memory of 3852	3164	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	2.exe
PID 3164 wrote to memory of 3852	3164	aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe	2.exe
PID 2080 wrote to memory of 3148	2080	1.exe	Gerenciador de audio HD Realltek.exe
PID 2080 wrote to memory of 3148	2080	1.exe	Gerenciador de audio HD Realltek.exe
PID 2080 wrote to memory of 3148	2080	1.exe	Gerenciador de audio HD Realltek.exe
PID 2080 wrote to memory of 4628	2080	1.exe	Windows Explorer.exe
PID 2080 wrote to memory of 4628	2080	1.exe	Windows Explorer.exe
PID 2080 wrote to memory of 4628	2080	1.exe	Windows Explorer.exe
PID 3148 wrote to memory of 4716	3148	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 3148 wrote to memory of 4716	3148	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 3148 wrote to memory of 4716	3148	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 4628 wrote to memory of 4588	4628	Windows Explorer.exe	fondue.exe
PID 4628 wrote to memory of 4588	4628	Windows Explorer.exe	fondue.exe
PID 4628 wrote to memory of 4588	4628	Windows Explorer.exe	fondue.exe
PID 4716 wrote to memory of 780	4716	fondue.exe	FonDUE.EXE
PID 4716 wrote to memory of 780	4716	fondue.exe	FonDUE.EXE
PID 4588 wrote to memory of 3720	4588	fondue.exe	FonDUE.EXE
PID 4588 wrote to memory of 3720	4588	fondue.exe	FonDUE.EXE
PID 3852 wrote to memory of 4332	3852	2.exe	arp.exe
PID 3852 wrote to memory of 4332	3852	2.exe	arp.exe

C:\Users\Admin\AppData\Local\Temp\aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
"C:\Users\Admin\AppData\Local\Temp\aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
"C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\System32\arp.exe
"C:\Windows\System32\arp.exe" -a
3⤵
PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
MD5
a302f849f03f9d0986062f4eb4032824

SHA1
15848e1df366bf37158cc70ab13f01a693a733f0

SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d

SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
MD5
b829a00948c61c7f278c5820150cfae2

SHA1
63affca7cab301cc1086738e2dde76fe0685ee13

SHA256
b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea

SHA512
27afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
MD5
cc19874b2b87478ed80aeb0db2786904

SHA1
04169b414112d5fc80f8ec01eed4e7edeed77e27

SHA256
7be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e

SHA512
2db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
MD5
15febefbdf4118365bd8a67a1f182543

SHA1
85bd8cb479994a4f9e5e8bb0b42313bfc3a172df

SHA256
1fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b

SHA512
9d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc

Download Submit
memory/3852-138-0x0000023195600000-0x0000023195C28000-memory.dmp

Filesize
6.2MB

Download
memory/3852-139-0x00007FFC41370000-0x00007FFC41E31000-memory.dmp

Filesize
10.8MB

Download
memory/3852-140-0x00000231B1700000-0x00000231B1702000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads