revengerat | 62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3

Analysis

max time kernel
4294226s
max time network
183s
platform
windows7_x64
resource
win7-20220311-en
submitted
24-03-2022 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe
Size

253KB
MD5

5a4b3fa6f4a0079519d06323def7b733
SHA1

1ba0e00f1364edf9cf360a5a0ddbc99274ca5755
SHA256

62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3
SHA512

386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 7 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
C:\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
C:\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe	revengerat
C:\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

pid process

736 RegSvcs.exe
1512 RegSvcs.exe

pid	process
736	RegSvcs.exe
1512	RegSvcs.exe

Drops startup file 7 IoCs

Processes:

RegSvcs.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.URL	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.js	RegSvcs.exe

Loads dropped DLL 3 IoCs

Processes:

62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exeRegSvcs.exe

pid	process
1884	62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe
1884	62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe
736	RegSvcs.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegSvcs = "C:\\Users\\Admin\\AppData\\Roaming\\RegSvcs.exe"	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

540 schtasks.exe

pid	process
540	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exeRegSvcs.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1884	62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe
Token: SeDebugPrivilege	736	RegSvcs.exe
Token: SeDebugPrivilege	1512	RegSvcs.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1428 DllHost.exe

pid	process
1428	DllHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exeRegSvcs.exevbc.exetaskeng.exe

description	pid	process	target process
PID 1884 wrote to memory of 736	1884	62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe	RegSvcs.exe
PID 1884 wrote to memory of 736	1884	62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe	RegSvcs.exe
PID 1884 wrote to memory of 736	1884	62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe	RegSvcs.exe
PID 1884 wrote to memory of 736	1884	62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe	RegSvcs.exe
PID 736 wrote to memory of 992	736	RegSvcs.exe	vbc.exe
PID 736 wrote to memory of 992	736	RegSvcs.exe	vbc.exe
PID 736 wrote to memory of 992	736	RegSvcs.exe	vbc.exe
PID 736 wrote to memory of 992	736	RegSvcs.exe	vbc.exe
PID 992 wrote to memory of 1756	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 1756	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 1756	992	vbc.exe	cvtres.exe
PID 992 wrote to memory of 1756	992	vbc.exe	cvtres.exe
PID 736 wrote to memory of 540	736	RegSvcs.exe	schtasks.exe
PID 736 wrote to memory of 540	736	RegSvcs.exe	schtasks.exe
PID 736 wrote to memory of 540	736	RegSvcs.exe	schtasks.exe
PID 736 wrote to memory of 540	736	RegSvcs.exe	schtasks.exe
PID 1312 wrote to memory of 1512	1312	taskeng.exe	RegSvcs.exe
PID 1312 wrote to memory of 1512	1312	taskeng.exe	RegSvcs.exe
PID 1312 wrote to memory of 1512	1312	taskeng.exe	RegSvcs.exe
PID 1312 wrote to memory of 1512	1312	taskeng.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe
"C:\Users\Admin\AppData\Local\Temp\62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Roaming\RegSvcs.exe
"C:\Users\Admin\AppData\Roaming\RegSvcs.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6qq_4bv_.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2E2.tmp"
4⤵
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\Admin\AppData\Roaming\RegSvcs.exe"
3⤵
- Creates scheduled task(s)
PID:540

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1428

C:\Windows\system32\taskeng.exe
taskeng.exe {9A8367D0-F039-4BE3-87E5-AB8981290ACD} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Roaming\RegSvcs.exe
C:\Users\Admin\AppData\Roaming\RegSvcs.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\258849.ico
MD5
85eeca6a4a2bc8d26651bc38eeda8ccc

SHA1
a69cb5c71af52aa11293304a5aad5a075a68e6e3

SHA256
64eb82ea1321fefcce0bcec3aab711d5a4c9316e3f0fb0c7bcb416aeb84a179f

SHA512
a7e830e3e370af9b283049d5f8e0507385c75b25332cc10e06e61b0b426a4eb972159c897db05fa413d1d400ba6151810d510d4a89fa2c0df60cf77a1b4cd3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qq_4bv_.0.vb
MD5
8e933c7ad82b1e7f504165b0efa6cafa

SHA1
1886bbeb188d0fde157e12bbed647bf81845f619

SHA256
3fea4d3b7e507d1d37251de3eb20f8cb88bb65d20b9886c6f9f8f9b3a728ff2f

SHA512
9078aa4697c2e0432fc3777367a73cda20ea7804585811d41835985c1fd261c003cdb223d18592c73bb1dac303d43e5e09a6ac775dff3b31e68f648b3a1ddd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qq_4bv_.cmdline
MD5
653263b0090b8f059fd89c276d5ce9eb

SHA1
c11a2fcec7d77e90fd1f62e8c80bdc2e7958fbcf

SHA256
f8bfef7f84db15bf276ff854e947b57e837cb0a2d75ff46619c0d319d9011d19

SHA512
c6a4039719e8eccb94b51467dcce37b60f5ebad727350b982f70647c55fb1c00f5817f62d8c77d4487887d2912696ebc665199fd4ebc4518a8878974e35993c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2F2.tmp
MD5
f1c9b8b6f4e5a800aa4e551b12d279b1

SHA1
fa4521a62b88704026dd5929ba77f8dd6784e411

SHA256
98c453380af11305568d39b966feb82b0fb6267814e36aadd02b17841e7c1b97

SHA512
3820a516cb64ff73d262b8935b0892eaf00dbb5c002067ecc59772f4113f921ede0d4f9f389cba07aee78596479b41a14e288a36692c4084b03e9a634542f862

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcC2E2.tmp
MD5
1ec7eb9fc04b4875c6d0f0f8a8b07fb0

SHA1
bf88f3803548c1d4b7cf13eff8148458d6edf10b

SHA256
741e96f4ca691e0a332ada5b72fb8d1e8f4be8b58a98e7b1415c48b1b7eff3e3

SHA512
fedd17e57c1f245b65df77427af9ad2fd1f9db8dbe6ceee9844ea83af6e3b92d2fb6445c1ff408926c4409fbcdb6650afccf83da93ed80bccec7087bf999ae90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe
MD5
5a4b3fa6f4a0079519d06323def7b733

SHA1
1ba0e00f1364edf9cf360a5a0ddbc99274ca5755

SHA256
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3

SHA512
386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d

Download Submit
C:\Users\Admin\AppData\Roaming\RegSvcs.exe
MD5
5a4b3fa6f4a0079519d06323def7b733

SHA1
1ba0e00f1364edf9cf360a5a0ddbc99274ca5755

SHA256
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3

SHA512
386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d

Download Submit
C:\Users\Admin\AppData\Roaming\RegSvcs.exe
MD5
5a4b3fa6f4a0079519d06323def7b733

SHA1
1ba0e00f1364edf9cf360a5a0ddbc99274ca5755

SHA256
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3

SHA512
386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d

Download Submit
C:\Users\Admin\AppData\Roaming\RegSvcs.exe
MD5
5a4b3fa6f4a0079519d06323def7b733

SHA1
1ba0e00f1364edf9cf360a5a0ddbc99274ca5755

SHA256
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3

SHA512
386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d

Download Submit
\Users\Admin\AppData\Roaming\RegSvcs.exe
MD5
5a4b3fa6f4a0079519d06323def7b733

SHA1
1ba0e00f1364edf9cf360a5a0ddbc99274ca5755

SHA256
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3

SHA512
386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d

Download Submit
\Users\Admin\AppData\Roaming\RegSvcs.exe
MD5
5a4b3fa6f4a0079519d06323def7b733

SHA1
1ba0e00f1364edf9cf360a5a0ddbc99274ca5755

SHA256
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3

SHA512
386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d

Download Submit
\Users\Admin\AppData\Roaming\RegSvcs.exe
MD5
5a4b3fa6f4a0079519d06323def7b733

SHA1
1ba0e00f1364edf9cf360a5a0ddbc99274ca5755

SHA256
62f7c8851faedd693032719515994806744be3ed6ebb1ef661a775562b6e8aa3

SHA512
386d4def63b63d2aa0a5ab2323edee4545702bafd257af144ad74fa790482afd93e085053b8f244ec4f2a6c2cf952adf11f1b425c9da04c475a784003df7d87d

Download Submit
memory/540-71-0x0000000000000000-mapping.dmp

Download
memory/736-58-0x0000000000000000-mapping.dmp

Download
memory/736-62-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/992-64-0x0000000000000000-mapping.dmp

Download
memory/1428-73-0x00000000000F0000-0x00000000000F2000-memory.dmp

Filesize
8KB

Download
memory/1512-75-0x0000000000000000-mapping.dmp

Download
memory/1512-78-0x0000000074120000-0x00000000746CB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-68-0x0000000000000000-mapping.dmp

Download
memory/1884-54-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1884-55-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Filesize
5.7MB

Download