revengerat | 1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280

General

Target

1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
Size

254KB
MD5

2e0028323603aa6918e38e0c92755825
SHA1

f477007ed48ad39afb53d5c82383bc99423fb2ef
SHA256

1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280
SHA512

2de163f12b6ae8ca02ece0b94c9dc9fa24f8d645f8ac2ebc054b6e141aa0204073f50cf357cdfb74979ed164f1a5af01262270bc7ba60486a69dc24005ed8df0

Score

10^/10

revengerat nov stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Nov

C2

80.82.68.21:3333

Mutex

RV_MUTEX-IgZblRvZwfRt

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/580-55-0x00000000005A0000-0x00000000005DA000-memory.dmp	beds_protector

RevengeRat Executable 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1420-70-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1420-71-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1420-72-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/1420-74-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1420-76-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Drops startup file 1 IoCs

Processes:

1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

description	pid	process	target process
PID 112 set thread context of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

632 timeout.exe

pid	process
632	timeout.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exepowershell.exe1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

pid	process
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
1660	powershell.exe
1660	powershell.exe
1660	powershell.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

WScript.exe

pid process

1468 WScript.exe

pid	process
1468	WScript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exepowershell.exe1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

description	pid	process
Token: SeDebugPrivilege	580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
Token: SeDebugPrivilege	1420	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.execmd.exepowershell.exe1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

description	pid	process	target process
PID 580 wrote to memory of 988	580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	cmd.exe
PID 580 wrote to memory of 988	580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	cmd.exe
PID 580 wrote to memory of 988	580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	cmd.exe
PID 580 wrote to memory of 988	580	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	cmd.exe
PID 988 wrote to memory of 632	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 632	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 632	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 632	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 1660	988	cmd.exe	powershell.exe
PID 988 wrote to memory of 1660	988	cmd.exe	powershell.exe
PID 988 wrote to memory of 1660	988	cmd.exe	powershell.exe
PID 988 wrote to memory of 1660	988	cmd.exe	powershell.exe
PID 1660 wrote to memory of 1468	1660	powershell.exe	WScript.exe
PID 1660 wrote to memory of 1468	1660	powershell.exe	WScript.exe
PID 1660 wrote to memory of 1468	1660	powershell.exe	WScript.exe
PID 1660 wrote to memory of 1468	1660	powershell.exe	WScript.exe
PID 1660 wrote to memory of 112	1660	powershell.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 1660 wrote to memory of 112	1660	powershell.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 1660 wrote to memory of 112	1660	powershell.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 1660 wrote to memory of 112	1660	powershell.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 112 wrote to memory of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 112 wrote to memory of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 112 wrote to memory of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 112 wrote to memory of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 112 wrote to memory of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 112 wrote to memory of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 112 wrote to memory of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
PID 112 wrote to memory of 1420	112	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe	1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe

C:\Users\Admin\AppData\Local\Temp\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
"C:\Users\Admin\AppData\Local\Temp\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\927543.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\927543.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\927543.js"
      4⤵
      Suspicious behavior: RenamesItself
      PID:1468
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe"
      4⤵
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1538bdbcaa726662785bd503063af939f08260b45400292592bf63caa4d8a280.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\927543.js

MD5
0f3972f0eb12f2eec25d627fe5f5eb4d

SHA1
4515e37481966627778bb814018e284d631624fd

SHA256
d5a0a6a8d207c52c63261317eb572637407ff197161c66cf27f4fb4522e0e3f5

SHA512
1ff14a996ea42c3d03fdae0038e3fe228c2d0e54ee96dd25c332647c1f814fa4f4b89db0896538cf6fa838d347acaab19ad56934b29df189357787bec50a88dd

Download Submit
memory/112-66-0x0000000000C80000-0x0000000000CC4000-memory.dmp

Filesize
272KB

Download
memory/112-65-0x0000000000000000-mapping.dmp

Download
memory/580-55-0x00000000005A0000-0x00000000005DA000-memory.dmp

Filesize
232KB

Download
memory/580-54-0x0000000000C80000-0x0000000000CC4000-memory.dmp

Filesize
272KB

Download
memory/632-57-0x0000000000000000-mapping.dmp

Download
memory/988-56-0x0000000000000000-mapping.dmp

Download
memory/1420-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1420-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1420-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1420-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1420-72-0x0000000000405DCE-mapping.dmp

Download
memory/1420-74-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1420-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1468-63-0x0000000000000000-mapping.dmp

Download
memory/1660-61-0x0000000002450000-0x000000000309A000-memory.dmp

Filesize
12.3MB

Download
memory/1660-60-0x0000000073AD0000-0x000000007407B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-59-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1660-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads