revengerat | 44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241

Analysis

max time kernel
4294182s
max time network
127s
platform
windows7_x64
resource
win7-20220310-en
submitted
19-03-2022 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241.exe
Size

499KB
MD5

b846e8d425cc7617865b1e40fbe38123
SHA1

1d82502f059936a7c198c43dffc668481ba4cb7d
SHA256

44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241
SHA512

91903caa187aeb29763c970cae66ec82a0548ccb041b2117e7cabca054b44871494220c08db6cd725c390f22a98b5442192d11047f5f033024f1b4f0323b96a1

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\123.exe	revengerat
\Users\Admin\AppData\Local\Temp\123.exe	revengerat
\Users\Admin\AppData\Local\Temp\123.exe	revengerat
\Users\Admin\AppData\Local\Temp\123.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\123.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\123.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

123.sfx.exe123.exe

pid process

2040 123.sfx.exe
2012 123.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exe123.sfx.exe

pid process

1972 cmd.exe
2040 123.sfx.exe
2040 123.sfx.exe
2040 123.sfx.exe
2040 123.sfx.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

123.exe

pid process

2012 123.exe
2012 123.exe
2012 123.exe
2012 123.exe
2012 123.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

123.exe

description pid process

Token: SeDebugPrivilege 2012 123.exe

pid	process
2040	123.sfx.exe
2012	123.exe

pid	process
1972	cmd.exe
2040	123.sfx.exe
2040	123.sfx.exe
2040	123.sfx.exe
2040	123.sfx.exe

pid	process
2012	123.exe
2012	123.exe
2012	123.exe
2012	123.exe
2012	123.exe

description	pid	process
Token: SeDebugPrivilege	2012	123.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241.exeWScript.execmd.exe123.sfx.exe123.exe

description	pid	process	target process
PID 304 wrote to memory of 1144	304	44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241.exe	WScript.exe
PID 304 wrote to memory of 1144	304	44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241.exe	WScript.exe
PID 304 wrote to memory of 1144	304	44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241.exe	WScript.exe
PID 304 wrote to memory of 1144	304	44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241.exe	WScript.exe
PID 1144 wrote to memory of 1972	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1972	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1972	1144	WScript.exe	cmd.exe
PID 1144 wrote to memory of 1972	1144	WScript.exe	cmd.exe
PID 1972 wrote to memory of 2040	1972	cmd.exe	123.sfx.exe
PID 1972 wrote to memory of 2040	1972	cmd.exe	123.sfx.exe
PID 1972 wrote to memory of 2040	1972	cmd.exe	123.sfx.exe
PID 1972 wrote to memory of 2040	1972	cmd.exe	123.sfx.exe
PID 2040 wrote to memory of 2012	2040	123.sfx.exe	123.exe
PID 2040 wrote to memory of 2012	2040	123.sfx.exe	123.exe
PID 2040 wrote to memory of 2012	2040	123.sfx.exe	123.exe
PID 2040 wrote to memory of 2012	2040	123.sfx.exe	123.exe
PID 2012 wrote to memory of 1184	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1184	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1184	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1184	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 992	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 992	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 992	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 992	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1156	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1156	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1156	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1156	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1012	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1012	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1012	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1012	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1840	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1840	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1840	2012	123.exe	MSBuild.exe
PID 2012 wrote to memory of 1840	2012	123.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241.exe
"C:\Users\Admin\AppData\Local\Temp\44bec1a9adeacd7b65a7b3d34b2396a6701bf090ce9c060c658d18694eb6a241.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\123.sfx.exe
123.sfx.exe -pYVdKRVRtaFpiVFY1V20xR2MwMXFhR2xpUkVsNA== -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
6⤵
PID:1012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.exe
MD5
85a791e1c9eb1e83a15e54fd0f0b442c

SHA1
fa5b1e4e93847096206952193339d95f0dde373c

SHA256
109593f4889d9fe646c0ef05a41b739d05bd88933fc5483499505707bbe22788

SHA512
ead9f80d10985ff5446f8677b5e4ec6140750900ed4d124368b82a5dae49a308e588ffad48d706774005941bd22f66fc14439a0600f0b686c2d3500d3ec5ae8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
MD5
85a791e1c9eb1e83a15e54fd0f0b442c

SHA1
fa5b1e4e93847096206952193339d95f0dde373c

SHA256
109593f4889d9fe646c0ef05a41b739d05bd88933fc5483499505707bbe22788

SHA512
ead9f80d10985ff5446f8677b5e4ec6140750900ed4d124368b82a5dae49a308e588ffad48d706774005941bd22f66fc14439a0600f0b686c2d3500d3ec5ae8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.sfx.exe
MD5
63818d7dde7a6ef3748adab4d533838a

SHA1
330a16ab50f1d987e14294202f33025c679fe673

SHA256
f2c3431907d722d12cd4038a5c0a2cced3ed52a0f404847012465a028092b7c1

SHA512
76d42468324b2d965618829f8562b521eea315121e0584cfcec9c35a05da0c898126c4c2767aa2b50027c09e7a985a79c7bd59ac06cfb8dc339bc82b6ee013a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.sfx.exe
MD5
63818d7dde7a6ef3748adab4d533838a

SHA1
330a16ab50f1d987e14294202f33025c679fe673

SHA256
f2c3431907d722d12cd4038a5c0a2cced3ed52a0f404847012465a028092b7c1

SHA512
76d42468324b2d965618829f8562b521eea315121e0584cfcec9c35a05da0c898126c4c2767aa2b50027c09e7a985a79c7bd59ac06cfb8dc339bc82b6ee013a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\bat.bat
MD5
6f5249bad1a5f90f6a46327703687f27

SHA1
70ac87edefecb66a6cda5fd0ba3cfbb13c75986e

SHA256
161be033dee0dfa8fd9793645d554c6b9bc06ea83e0e4fba7bddfd9cc2094ce9

SHA512
a0630fcaea89b9f1f250fbf8b59f43b5ae526b4e3e51d74a76da75ad75f4bc33b20e2fb81333793a8c0040561480aa52629f0402820c31c9dff43c68f0fe55ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
MD5
dc06d3c7415f4f6b05272426a63e9fd1

SHA1
2a148ec726cde2a19222c03ebf2cf48e8a5c171f

SHA256
101467d0422de2fafce3dc4e7f28343f7eab7f132a42843a9498b0fe3ffa9093

SHA512
d2063eddd861715db497adaf3440fc120aed019aa309ca2010d7b19e26987648c67f590e141df31b7c660cfebb33f052861fa2d1db5017e5f97dd4437155f76a

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
MD5
85a791e1c9eb1e83a15e54fd0f0b442c

SHA1
fa5b1e4e93847096206952193339d95f0dde373c

SHA256
109593f4889d9fe646c0ef05a41b739d05bd88933fc5483499505707bbe22788

SHA512
ead9f80d10985ff5446f8677b5e4ec6140750900ed4d124368b82a5dae49a308e588ffad48d706774005941bd22f66fc14439a0600f0b686c2d3500d3ec5ae8c

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
MD5
85a791e1c9eb1e83a15e54fd0f0b442c

SHA1
fa5b1e4e93847096206952193339d95f0dde373c

SHA256
109593f4889d9fe646c0ef05a41b739d05bd88933fc5483499505707bbe22788

SHA512
ead9f80d10985ff5446f8677b5e4ec6140750900ed4d124368b82a5dae49a308e588ffad48d706774005941bd22f66fc14439a0600f0b686c2d3500d3ec5ae8c

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
MD5
85a791e1c9eb1e83a15e54fd0f0b442c

SHA1
fa5b1e4e93847096206952193339d95f0dde373c

SHA256
109593f4889d9fe646c0ef05a41b739d05bd88933fc5483499505707bbe22788

SHA512
ead9f80d10985ff5446f8677b5e4ec6140750900ed4d124368b82a5dae49a308e588ffad48d706774005941bd22f66fc14439a0600f0b686c2d3500d3ec5ae8c

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
MD5
85a791e1c9eb1e83a15e54fd0f0b442c

SHA1
fa5b1e4e93847096206952193339d95f0dde373c

SHA256
109593f4889d9fe646c0ef05a41b739d05bd88933fc5483499505707bbe22788

SHA512
ead9f80d10985ff5446f8677b5e4ec6140750900ed4d124368b82a5dae49a308e588ffad48d706774005941bd22f66fc14439a0600f0b686c2d3500d3ec5ae8c

Download Submit
\Users\Admin\AppData\Local\Temp\123.sfx.exe
MD5
63818d7dde7a6ef3748adab4d533838a

SHA1
330a16ab50f1d987e14294202f33025c679fe673

SHA256
f2c3431907d722d12cd4038a5c0a2cced3ed52a0f404847012465a028092b7c1

SHA512
76d42468324b2d965618829f8562b521eea315121e0584cfcec9c35a05da0c898126c4c2767aa2b50027c09e7a985a79c7bd59ac06cfb8dc339bc82b6ee013a6

Download Submit
memory/304-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/2012-68-0x000007FEF5B30000-0x000007FEF64CD000-memory.dmp

Filesize
9.6MB

Download
memory/2012-69-0x0000000001F20000-0x0000000001F22000-memory.dmp

Filesize
8KB

Download
memory/2012-70-0x000007FEEEE80000-0x000007FEEFF16000-memory.dmp

Filesize
16.6MB

Download