revengerat | 8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af

General

Target

8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe
Size

559KB
MD5

d85aaaf579761976abca4aa62613da97
SHA1

d0fbf145c710792b437c7cbba09af3a2ffbcacd2
SHA256

8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af
SHA512

4b1368dc815fad184fd8493274abe4915a9851cdc75ebd26a495134495bda7a9edb513d0b688defe5caf0eec67867aba02c0cbffc8e0ef81114a55675aaa833b

Score

10^/10

revengerat jso ##stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

JSO ##

C2

presentationf.sytes.net:15920

Mutex

RV_MUTEX-juuVYrpxjEexV

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1808-55-0x00000000012F0000-0x0000000001380000-memory.dmp	Nirsoft
\Users\Admin\AppData\Local\Temp@gl - @zn.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp@gl - @zn.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp@gl - @zn.exe	Nirsoft
behavioral1/memory/1168-65-0x00000000009E0000-0x0000000000A50000-memory.dmp	Nirsoft

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1188-66-0x0000000000480000-0x000000000048A000-memory.dmp	revengerat

Executes dropped EXE 2 IoCs

Processes:

Tempsvchost.exeTemp@gl - @zn.exe

pid process

1188 Tempsvchost.exe
1168 Temp@gl - @zn.exe

pid	process
1188	Tempsvchost.exe
1168	Temp@gl - @zn.exe

Loads dropped DLL 2 IoCs

Processes:

8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe

pid	process
1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe
1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Tempsvchost.exe

description pid process

Token: SeDebugPrivilege 1188 Tempsvchost.exe

description	pid	process
Token: SeDebugPrivilege	1188	Tempsvchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe

description	pid	process	target process
PID 1808 wrote to memory of 1188	1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe	Tempsvchost.exe
PID 1808 wrote to memory of 1188	1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe	Tempsvchost.exe
PID 1808 wrote to memory of 1188	1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe	Tempsvchost.exe
PID 1808 wrote to memory of 1188	1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe	Tempsvchost.exe
PID 1808 wrote to memory of 1168	1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe	Temp@gl - @zn.exe
PID 1808 wrote to memory of 1168	1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe	Temp@gl - @zn.exe
PID 1808 wrote to memory of 1168	1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe	Temp@gl - @zn.exe
PID 1808 wrote to memory of 1168	1808	8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe	Temp@gl - @zn.exe

C:\Users\Admin\AppData\Local\Temp\8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe
"C:\Users\Admin\AppData\Local\Temp\8123ebfcb39868d686be6910129fe6659acf3bb67e9497db491438d5617678af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Tempsvchost.exe
  "C:\Users\Admin\AppData\Local\Tempsvchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Users\Admin\AppData\Local\Temp@gl - @zn.exe
  "C:\Users\Admin\AppData\Local\Temp@gl - @zn.exe"
  2⤵
  - Executes dropped EXE
  PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp@gl - @zn.exe

MD5
29b7ba4aab993c5cd3bbcae9531813dc

SHA1
eb9f82c8e7cd75b312a305efc040dd72254ff502

SHA256
272900f82fb137ed4554ea7bc0a75e8ffe0d0945a2783b9f0d05cf7d083b90ca

SHA512
acc3a92a7851e7e373589ac516196feab28ded997bf82ca2674e082be5ac8c29cd56b564ebef559ae13b4f33572b9c392506e26475fd8855900123565c996d54

Download Submit
C:\Users\Admin\AppData\Local\Temp@gl - @zn.exe

MD5
29b7ba4aab993c5cd3bbcae9531813dc

SHA1
eb9f82c8e7cd75b312a305efc040dd72254ff502

SHA256
272900f82fb137ed4554ea7bc0a75e8ffe0d0945a2783b9f0d05cf7d083b90ca

SHA512
acc3a92a7851e7e373589ac516196feab28ded997bf82ca2674e082be5ac8c29cd56b564ebef559ae13b4f33572b9c392506e26475fd8855900123565c996d54

Download Submit
C:\Users\Admin\AppData\Local\Tempsvchost.exe

MD5
21e7f29747e49fb9cc89bf6e9d70422e

SHA1
7cdb4953bae7ac74862cd83469a27a17c4ded43e

SHA256
699b93787482cdf424059c696b81176af9c63c9158dd9fbdc1ac6b6a8d00a951

SHA512
04dc51bfdd88ae29fda0b16529728a16e86ae0d47168abe452a6c999dea4e5200ec9c462bbee71b5c8a2984ea833ac2a6b3dab7b3f63f1dcf9a815c831ab856c

Download Submit
C:\Users\Admin\AppData\Local\Tempsvchost.exe

MD5
21e7f29747e49fb9cc89bf6e9d70422e

SHA1
7cdb4953bae7ac74862cd83469a27a17c4ded43e

SHA256
699b93787482cdf424059c696b81176af9c63c9158dd9fbdc1ac6b6a8d00a951

SHA512
04dc51bfdd88ae29fda0b16529728a16e86ae0d47168abe452a6c999dea4e5200ec9c462bbee71b5c8a2984ea833ac2a6b3dab7b3f63f1dcf9a815c831ab856c

Download Submit
\Users\Admin\AppData\Local\Temp@gl - @zn.exe

MD5
29b7ba4aab993c5cd3bbcae9531813dc

SHA1
eb9f82c8e7cd75b312a305efc040dd72254ff502

SHA256
272900f82fb137ed4554ea7bc0a75e8ffe0d0945a2783b9f0d05cf7d083b90ca

SHA512
acc3a92a7851e7e373589ac516196feab28ded997bf82ca2674e082be5ac8c29cd56b564ebef559ae13b4f33572b9c392506e26475fd8855900123565c996d54

Download Submit
\Users\Admin\AppData\Local\Tempsvchost.exe

MD5
21e7f29747e49fb9cc89bf6e9d70422e

SHA1
7cdb4953bae7ac74862cd83469a27a17c4ded43e

SHA256
699b93787482cdf424059c696b81176af9c63c9158dd9fbdc1ac6b6a8d00a951

SHA512
04dc51bfdd88ae29fda0b16529728a16e86ae0d47168abe452a6c999dea4e5200ec9c462bbee71b5c8a2984ea833ac2a6b3dab7b3f63f1dcf9a815c831ab856c

Download Submit
memory/1168-65-0x00000000009E0000-0x0000000000A50000-memory.dmp

Filesize
448KB

Download
memory/1168-67-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1168-69-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1168-70-0x0000000004DD5000-0x0000000004DE6000-memory.dmp

Filesize
68KB

Download
memory/1188-60-0x00000000013D0000-0x00000000013F0000-memory.dmp

Filesize
128KB

Download
memory/1188-61-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1188-66-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/1188-68-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/1808-54-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/1808-56-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1808-55-0x00000000012F0000-0x0000000001380000-memory.dmp

Filesize
576KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads