revengerat | 2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b

General

Target

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe
Size

501KB
MD5

c8aa6223ca40f85c1ae6fd9024aab6ea
SHA1

895469c785046dce30badb4de957f5f89657ba0b
SHA256

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b
SHA512

9800a04b8b408940e0c54a752fc87b41edd79d7764cbb16a0357084ee8b1dc3d3a082b424ee3f68632cbb128bde0e867854e2216ec88de48c247d5c248bed530

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\virus.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\virus.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

virus.sfx.exevirus.exe

pid process

2316 virus.sfx.exe
2664 virus.exe

pid	process
2316	virus.sfx.exe
2664	virus.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exeWScript.exevirus.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	virus.sfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exeWScript.execmd.exevirus.sfx.exevirus.exefondue.exe

description	pid	process	target process
PID 312 wrote to memory of 1424	312	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe	WScript.exe
PID 312 wrote to memory of 1424	312	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe	WScript.exe
PID 312 wrote to memory of 1424	312	2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe	WScript.exe
PID 1424 wrote to memory of 1952	1424	WScript.exe	cmd.exe
PID 1424 wrote to memory of 1952	1424	WScript.exe	cmd.exe
PID 1424 wrote to memory of 1952	1424	WScript.exe	cmd.exe
PID 1952 wrote to memory of 2316	1952	cmd.exe	virus.sfx.exe
PID 1952 wrote to memory of 2316	1952	cmd.exe	virus.sfx.exe
PID 1952 wrote to memory of 2316	1952	cmd.exe	virus.sfx.exe
PID 2316 wrote to memory of 2664	2316	virus.sfx.exe	virus.exe
PID 2316 wrote to memory of 2664	2316	virus.sfx.exe	virus.exe
PID 2316 wrote to memory of 2664	2316	virus.sfx.exe	virus.exe
PID 2664 wrote to memory of 3320	2664	virus.exe	fondue.exe
PID 2664 wrote to memory of 3320	2664	virus.exe	fondue.exe
PID 2664 wrote to memory of 3320	2664	virus.exe	fondue.exe
PID 3320 wrote to memory of 4752	3320	fondue.exe	FonDUE.EXE
PID 3320 wrote to memory of 4752	3320	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe
"C:\Users\Admin\AppData\Local\Temp\2932091c4558a42772f48d84e38ce9e2133aecc4d6c1cb7a2ec06dcf41f2b05b.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bat.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe
virus.sfx.exe -p0JTQsNC70LXQtSDQuNC00ZHQvCDQstC+INCy0LrQu9Cw0LTQutGDICLQo9GB0YLQsNC90L7QstC60LDCuw== -dC:\Users\Admin\AppData\Local\Temp
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\virus.exe
"C:\Users\Admin\AppData\Local\Temp\virus.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
6⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
7⤵
PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bat.bat
MD5
313763e1158ac32e596f279922d5fa7a

SHA1
f53fd94eae3c4b49eaaea6d7276a027d592fa6fd

SHA256
cedeed1af7694e6e59ec05f0e07c87e083a110d7109289112b42c365ffab66ae

SHA512
850f1aac826e79f51e45edfda06f23fd37b6d9e1fc6851daee7dedd5ac4a5d1839fb3c7022d0cd3de8cd053bbb0db75c93b41081602a7ffe613d9afae38e0f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbs.vbs
MD5
78cd7fe96fcefee2dc19332106da3ebb

SHA1
c36b1f451e75734c99070fceea6fa1fef43c953f

SHA256
5147181b11646207d24192fb4d0b893b1ea2220f3b3ce032ff9057297ece794c

SHA512
18a304a4ba7b8d8680bf4727cd3f68595f3e00046872215fd68ddb6f9363b3b14637a7abc53b2aa97073b423f8c3814b5e8c8f385ab0c22f9598698305b1e56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.exe
MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.exe
MD5
bba5973bb251dd5c7867208a5d912341

SHA1
b852a70903aa537f82fe18e6a1d18ab414b44f46

SHA256
823bdc992a3eae89f6d9a117380344543b2547e78e3d10813563c916432ec92a

SHA512
89003db50df412c67aef2dc72a064e1cf93b4f14f618de373db2aee71c0559087140eec6c4a519829638949ac7bef009df5dab201ac45a0b592d92e7e976878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe
MD5
0c2a42618a219916757349673caee33d

SHA1
108b16ade92cae3f05a05daf399931e3f460030e

SHA256
6346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f

SHA512
50ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495

Download Submit
C:\Users\Admin\AppData\Local\Temp\virus.sfx.exe
MD5
0c2a42618a219916757349673caee33d

SHA1
108b16ade92cae3f05a05daf399931e3f460030e

SHA256
6346ecc38aaba94bc2a94cdf871983747c0641f7b6acab07cc6392a902f4dd2f

SHA512
50ba5e54cdab26b418bb3b593af1fb5dc150d0ca740a6fbc7759b9c3b12c1b1e0d6d255d53f6ecc93b3bb8cc51027dcb6064e8cfe9fa99e774bc9dd11678f495

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads