revengerat | 74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377

Analysis

max time kernel
4294210s
max time network
160s
platform
windows7_x64
resource
win7-20220311-en
submitted
29-03-2022 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe
Size

218KB
MD5

bc81f713f5c4ea0d5a77dc19bf4ee185
SHA1

05768e9d217782b66e622cdb4d8ec28a63a8a5d8
SHA256

74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377
SHA512

a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 7 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
C:\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe	revengerat
C:\Users\Admin\AppData\Roaming\RegSvcs.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

pid process

112 RegSvcs.exe
1448 RegSvcs.exe

pid	process
112	RegSvcs.exe
1448	RegSvcs.exe

Drops startup file 7 IoCs

Processes:

vbc.exeRegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.js	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.lnk	RegSvcs.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.URL	RegSvcs.exe

Loads dropped DLL 3 IoCs

Processes:

74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exeRegSvcs.exe

pid	process
1996	74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe
1996	74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe
112	RegSvcs.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegSvcs = "C:\\Users\\Admin\\AppData\\Roaming\\RegSvcs.exe"	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1352 schtasks.exe

pid	process
1352	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exeRegSvcs.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1996	74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe
Token: SeDebugPrivilege	112	RegSvcs.exe
Token: SeDebugPrivilege	1448	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exeRegSvcs.exevbc.exetaskeng.exe

description	pid	process	target process
PID 1996 wrote to memory of 112	1996	74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe	RegSvcs.exe
PID 1996 wrote to memory of 112	1996	74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe	RegSvcs.exe
PID 1996 wrote to memory of 112	1996	74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe	RegSvcs.exe
PID 1996 wrote to memory of 112	1996	74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe	RegSvcs.exe
PID 112 wrote to memory of 1520	112	RegSvcs.exe	vbc.exe
PID 112 wrote to memory of 1520	112	RegSvcs.exe	vbc.exe
PID 112 wrote to memory of 1520	112	RegSvcs.exe	vbc.exe
PID 112 wrote to memory of 1520	112	RegSvcs.exe	vbc.exe
PID 1520 wrote to memory of 1032	1520	vbc.exe	cvtres.exe
PID 1520 wrote to memory of 1032	1520	vbc.exe	cvtres.exe
PID 1520 wrote to memory of 1032	1520	vbc.exe	cvtres.exe
PID 1520 wrote to memory of 1032	1520	vbc.exe	cvtres.exe
PID 112 wrote to memory of 1352	112	RegSvcs.exe	schtasks.exe
PID 112 wrote to memory of 1352	112	RegSvcs.exe	schtasks.exe
PID 112 wrote to memory of 1352	112	RegSvcs.exe	schtasks.exe
PID 112 wrote to memory of 1352	112	RegSvcs.exe	schtasks.exe
PID 1708 wrote to memory of 1448	1708	taskeng.exe	RegSvcs.exe
PID 1708 wrote to memory of 1448	1708	taskeng.exe	RegSvcs.exe
PID 1708 wrote to memory of 1448	1708	taskeng.exe	RegSvcs.exe
PID 1708 wrote to memory of 1448	1708	taskeng.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe
"C:\Users\Admin\AppData\Local\Temp\74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Roaming\RegSvcs.exe
"C:\Users\Admin\AppData\Roaming\RegSvcs.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\brm1gaow.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6691.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6690.tmp"
4⤵
PID:1032

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "RegSvcs" /tr "C:\Users\Admin\AppData\Roaming\RegSvcs.exe"
3⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\taskeng.exe
taskeng.exe {38843208-A0D0-48F4-A7AE-7308B7453144} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Roaming\RegSvcs.exe
C:\Users\Admin\AppData\Roaming\RegSvcs.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6691.tmp
Filesize
1KB

MD5
d8b6ba3ed2061a6e594323f8e880b120

SHA1
e07f865d51f2bfaf1a7ac1579a3ba89d97632e39

SHA256
0b603a9cb3fa3d4acdeed622736417282b812c374dcd6b988d8f6885a82ca51e

SHA512
143570dc0c4050e8e672958454c9249f26b94c1263811fec7bacf5515fa2b05d8e58a8ab69afb6b1085ba25aa4df40500a2e541df0d7740d5fba8e744df86be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\brm1gaow.0.vb
Filesize
152B

MD5
58d804d072d197fe2ac06f5a2a29a4f5

SHA1
06cf7a6be879a1255a755f5166489bd4b01c2eb2

SHA256
b3ffab9f80a378c1220d6a94510b7ed4109f3c2856bfdb66e463dcc55e6873f6

SHA512
e34db96456f9b9a3a1939e8ac52fdde5848547c38cc09e8ce9ba24a704eeaafba56da570e890805ff20fbc35e0c65c9614441e88481e7f72b583977019573add

Download Submit
C:\Users\Admin\AppData\Local\Temp\brm1gaow.cmdline
Filesize
195B

MD5
6c783cc08c29fad634029a36df3287dd

SHA1
ef0e25e6e1d69d18d4881b57226425e42877954a

SHA256
224319e4ed04ccca2ffc2a6093c36e9ced160368ef4a3de09157d2929f9b2913

SHA512
a20a73f18d7b9c9b796ee7a3d9c8ee1d50d986a25dc0802d3b17313ac3a4f0ad9b50b3cd69b5d10d162166eded98594759626a770c15f98f15ec9e6e6df386c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6690.tmp
Filesize
644B

MD5
1ec7eb9fc04b4875c6d0f0f8a8b07fb0

SHA1
bf88f3803548c1d4b7cf13eff8148458d6edf10b

SHA256
741e96f4ca691e0a332ada5b72fb8d1e8f4be8b58a98e7b1415c48b1b7eff3e3

SHA512
fedd17e57c1f245b65df77427af9ad2fd1f9db8dbe6ceee9844ea83af6e3b92d2fb6445c1ff408926c4409fbcdb6650afccf83da93ed80bccec7087bf999ae90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegSvcs.exe
Filesize
218KB

MD5
bc81f713f5c4ea0d5a77dc19bf4ee185

SHA1
05768e9d217782b66e622cdb4d8ec28a63a8a5d8

SHA256
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377

SHA512
a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541

Download Submit
C:\Users\Admin\AppData\Roaming\RegSvcs.exe
Filesize
218KB

MD5
bc81f713f5c4ea0d5a77dc19bf4ee185

SHA1
05768e9d217782b66e622cdb4d8ec28a63a8a5d8

SHA256
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377

SHA512
a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541

Download Submit
C:\Users\Admin\AppData\Roaming\RegSvcs.exe
Filesize
218KB

MD5
bc81f713f5c4ea0d5a77dc19bf4ee185

SHA1
05768e9d217782b66e622cdb4d8ec28a63a8a5d8

SHA256
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377

SHA512
a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541

Download Submit
C:\Users\Admin\AppData\Roaming\RegSvcs.exe
Filesize
218KB

MD5
bc81f713f5c4ea0d5a77dc19bf4ee185

SHA1
05768e9d217782b66e622cdb4d8ec28a63a8a5d8

SHA256
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377

SHA512
a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541

Download Submit
\Users\Admin\AppData\Roaming\RegSvcs.exe
Filesize
218KB

MD5
bc81f713f5c4ea0d5a77dc19bf4ee185

SHA1
05768e9d217782b66e622cdb4d8ec28a63a8a5d8

SHA256
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377

SHA512
a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541

Download Submit
\Users\Admin\AppData\Roaming\RegSvcs.exe
Filesize
218KB

MD5
bc81f713f5c4ea0d5a77dc19bf4ee185

SHA1
05768e9d217782b66e622cdb4d8ec28a63a8a5d8

SHA256
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377

SHA512
a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541

Download Submit
\Users\Admin\AppData\Roaming\RegSvcs.exe
Filesize
218KB

MD5
bc81f713f5c4ea0d5a77dc19bf4ee185

SHA1
05768e9d217782b66e622cdb4d8ec28a63a8a5d8

SHA256
74053df09d411d72ee9914bf28485bce540cd13ab4722ba3de0c53e366426377

SHA512
a7f96d90cbda54ba5953055f707041ab0b6da3611a5fc024df3ab509d4a75a19293ae4f7ed3759f9a4f412ca3342765ed8dc19cc83e847e5db7f140aa965f541

Download Submit
memory/112-58-0x0000000000000000-mapping.dmp

Download
memory/112-62-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download
memory/1032-68-0x0000000000000000-mapping.dmp

Download
memory/1352-71-0x0000000000000000-mapping.dmp

Download
memory/1448-72-0x0000000000000000-mapping.dmp

Download
memory/1448-75-0x0000000073C50000-0x00000000741FB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-64-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000074C61000-0x0000000074C63000-memory.dmp

Filesize
8KB

Download
memory/1996-55-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download