revengerat | a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de

General

Target

a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe
Size

985KB
MD5

f1e0daaf0391d14802503dfc1765ed79
SHA1

d358b88991e4eb16df13938ecabf90bbc15215ff
SHA256

a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de
SHA512

66e582fcaea00df8296682e4fdce72890f2a4c0ea831848e1c430849e1fd9ea5bc9a68b74a24cdabc6301a9db5da26650a15b1eac8151d1542a939b3ea512ced

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe	Nirsoft

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe	revengerat

Executes dropped EXE 3 IoCs

Processes:

Gerenciador de audio HD Realltek.exeWindows Explorer.exeGoogle Chrome.exe

pid process

1588 Gerenciador de audio HD Realltek.exe
3448 Windows Explorer.exe
4048 Google Chrome.exe

pid	process
1588	Gerenciador de audio HD Realltek.exe
3448	Windows Explorer.exe
4048	Google Chrome.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exeGerenciador de audio HD Realltek.exeWindows Explorer.exeGoogle Chrome.exefondue.exefondue.exefondue.exe

description	pid	process	target process
PID 4388 wrote to memory of 1588	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Gerenciador de audio HD Realltek.exe
PID 4388 wrote to memory of 1588	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Gerenciador de audio HD Realltek.exe
PID 4388 wrote to memory of 1588	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Gerenciador de audio HD Realltek.exe
PID 4388 wrote to memory of 3448	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Windows Explorer.exe
PID 4388 wrote to memory of 3448	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Windows Explorer.exe
PID 4388 wrote to memory of 3448	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Windows Explorer.exe
PID 4388 wrote to memory of 4048	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Google Chrome.exe
PID 4388 wrote to memory of 4048	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Google Chrome.exe
PID 4388 wrote to memory of 4048	4388	a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe	Google Chrome.exe
PID 1588 wrote to memory of 1480	1588	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 1588 wrote to memory of 1480	1588	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 1588 wrote to memory of 1480	1588	Gerenciador de audio HD Realltek.exe	fondue.exe
PID 3448 wrote to memory of 3080	3448	Windows Explorer.exe	fondue.exe
PID 3448 wrote to memory of 3080	3448	Windows Explorer.exe	fondue.exe
PID 3448 wrote to memory of 3080	3448	Windows Explorer.exe	fondue.exe
PID 4048 wrote to memory of 4808	4048	Google Chrome.exe	fondue.exe
PID 4048 wrote to memory of 4808	4048	Google Chrome.exe	fondue.exe
PID 4048 wrote to memory of 4808	4048	Google Chrome.exe	fondue.exe
PID 3080 wrote to memory of 2704	3080	fondue.exe	FonDUE.EXE
PID 3080 wrote to memory of 2704	3080	fondue.exe	FonDUE.EXE
PID 4808 wrote to memory of 2576	4808	fondue.exe	FonDUE.EXE
PID 4808 wrote to memory of 2576	4808	fondue.exe	FonDUE.EXE
PID 1480 wrote to memory of 2808	1480	fondue.exe	FonDUE.EXE
PID 1480 wrote to memory of 2808	1480	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe
"C:\Users\Admin\AppData\Local\Temp\a4594e8cc648bdc34cce2219f26bf545eb8a42a3258925284c713475bc0650de.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe
  "C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2808
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2704
- C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\fondue.exe
    "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\system32\FonDUE.EXE
      "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
      4⤵
      PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe

MD5
630a7cda478d4f838c5e7b44b584d803

SHA1
75da72110dcb0d67db457ad5bf2d359aa75d2625

SHA256
349bda9c7f775c0a32642e8e94433f0e0fbf19216f0502a059e83e4ea37c7e1a

SHA512
6b29bfbee371c93b0dbb401621c21fcc81e89cea16b81848f9f17d48b9b02d83e4a6e7e4421f0266142d6c20075a7bcde59529e7324c705c9ae4cbb11ac3dc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe

MD5
630a7cda478d4f838c5e7b44b584d803

SHA1
75da72110dcb0d67db457ad5bf2d359aa75d2625

SHA256
349bda9c7f775c0a32642e8e94433f0e0fbf19216f0502a059e83e4ea37c7e1a

SHA512
6b29bfbee371c93b0dbb401621c21fcc81e89cea16b81848f9f17d48b9b02d83e4a6e7e4421f0266142d6c20075a7bcde59529e7324c705c9ae4cbb11ac3dc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe

MD5
be2c35a4a7de5f519678ec00c74de42c

SHA1
74e424676007d5d0239feb01b207e85a2e2d3854

SHA256
269559df0408d116c4201379e5872c7934a1ddda3805c86b9a6ac757a32a7930

SHA512
7bae92d18a1751d66140106659b9cbe727cf9691788e10e59bb309b988b6888118f9871df44104cecdf66d72a776476be90990e9971483763557cf5616e2aadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe

MD5
be2c35a4a7de5f519678ec00c74de42c

SHA1
74e424676007d5d0239feb01b207e85a2e2d3854

SHA256
269559df0408d116c4201379e5872c7934a1ddda3805c86b9a6ac757a32a7930

SHA512
7bae92d18a1751d66140106659b9cbe727cf9691788e10e59bb309b988b6888118f9871df44104cecdf66d72a776476be90990e9971483763557cf5616e2aadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

MD5
a10fe20201ca6f8903f808974cc588b1

SHA1
8d409a055f573e8d6b617a71f4a90d00084184c9

SHA256
277cd876629d33374820ba503adde64055216f875eccfc690243a114fcd8a8b1

SHA512
da4123388fd7e89f9843d848d16eaff34f52a7e73d4da6658527f043aa6f201a718b06027150fb0c2a7149df0bea1942057bac3816182fa9778fe6fe7367583a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

MD5
a10fe20201ca6f8903f808974cc588b1

SHA1
8d409a055f573e8d6b617a71f4a90d00084184c9

SHA256
277cd876629d33374820ba503adde64055216f875eccfc690243a114fcd8a8b1

SHA512
da4123388fd7e89f9843d848d16eaff34f52a7e73d4da6658527f043aa6f201a718b06027150fb0c2a7149df0bea1942057bac3816182fa9778fe6fe7367583a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads