revengerat | 94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12

General

Target

94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe
Size

65KB
MD5

13a4841e9114114472aaaf0e3faa1be0
SHA1

d9b1529c9c5d0257a7c68c8517ab3ae01ae535c9
SHA256

94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12
SHA512

69747c9efbd3e7845068f5b53413b625a284b54e01623ab3c7bd413b8561d0a31f5d8cdd506f280eb8a06dd0f6df0d8636fe87c5cdda5c914e46e6bf1b4eab39

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1344-58-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1344-60-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1344-61-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1344-59-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1344-62-0x00000000004110BE-mapping.dmp	revengerat
behavioral1/memory/1344-64-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat

Suspicious use of SetThreadContext 2 IoCs

Processes:

94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exeaspnet_compiler.exe

description	pid	process	target process
PID 1132 set thread context of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1344 set thread context of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe
Token: SeDebugPrivilege	1344	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exeaspnet_compiler.exe

description	pid	process	target process
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1132 wrote to memory of 1344	1132	94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe
PID 1344 wrote to memory of 632	1344	aspnet_compiler.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe
"C:\Users\Admin\AppData\Local\Temp\94100e5aa10700946bc196b704fb39d8857b3bb0ee9feef626b60abcc19d7e12.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
    3⤵
    PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RRtNHuiGG.txt

MD5
0bcb98b10864f4924bc314ba816e0adf

SHA1
96f6570c49ca40e648f5b2ab6abd83896b3e6c86

SHA256
5c01f276fc40a9ba7fd9a791785298e3fc2b3381d82b434274d595981cca508e

SHA512
6fa0f647e5e1bf185904099cee2c6176d456d94fb2274b3f5b6db1a96c950bd34e1359946a3bffd0ebf8463e324b59c9a8e3143e4c47bf9b46cfc6b88d7914d1

Download Submit
memory/632-71-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/632-73-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/632-79-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/632-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/632-74-0x00000000004070EE-mapping.dmp

Download
memory/632-72-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/632-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/632-77-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/632-81-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1132-66-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-68-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1344-62-0x00000000004110BE-mapping.dmp

Download
memory/1344-59-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1344-56-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1344-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1344-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1344-60-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1344-58-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads