revengerat | 0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8

General

Target

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe
Size

125KB
MD5

1672081c9a9a80b4f2f31e311958fa2c
SHA1

def154edfe4cb8465677ed3fd9fffe506a307caf
SHA256

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8
SHA512

ca292e87ec1b297e0e9bf5f8f270e67a13e20b78c0784fc80da421ba039a89104fe7792bc771acd024f48381979688febeffe65cfbbd1e19b52df768b04a50ca

Score

10^/10

revengerat dec stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

dec

C2

technovez.duckdns.org:6904

Mutex

RV_MUTEX-bCGPPiCCaKuSAtY

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2040-56-0x00000000002D0000-0x00000000002DA000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

igfxTy.exe

pid process

1716 igfxTy.exe
Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igfxTry.exe vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1716	igfxTy.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\igfxTry.exe	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exeigfxTy.exe

description	pid	process
Token: SeDebugPrivilege	2040	0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe
Token: SeDebugPrivilege	1716	igfxTy.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exeigfxTy.exevbc.exe

description	pid	process	target process
PID 2040 wrote to memory of 1716	2040	0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe	igfxTy.exe
PID 2040 wrote to memory of 1716	2040	0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe	igfxTy.exe
PID 2040 wrote to memory of 1716	2040	0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe	igfxTy.exe
PID 1716 wrote to memory of 1876	1716	igfxTy.exe	vbc.exe
PID 1716 wrote to memory of 1876	1716	igfxTy.exe	vbc.exe
PID 1716 wrote to memory of 1876	1716	igfxTy.exe	vbc.exe
PID 1876 wrote to memory of 1832	1876	vbc.exe	cvtres.exe
PID 1876 wrote to memory of 1832	1876	vbc.exe	cvtres.exe
PID 1876 wrote to memory of 1832	1876	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe
"C:\Users\Admin\AppData\Local\Temp\0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\igfxTy.exe
"C:\Users\Admin\AppData\Roaming\igfxTy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r5zxgxqp\r5zxgxqp.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC06.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc25131B97197F42D6B5AC57FAB3C4F5B9.TMP"
4⤵
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCC06.tmp
Filesize
1KB

MD5
e310b06fc82baaa054a005af12b33e7c

SHA1
4f71b299ad88b0b4b798024a0c04b5b768bed152

SHA256
7b7e513ef507ff04fc6b9adb34278073bbd272c0329d13d3b92835e645a8ad38

SHA512
b946049add1c1ff26baff5573c9052860ead212336fa7803232c6151fb42ec29d1eba3e25d7fb4f84398d5c1eb88486c2db6e5ec2168969acabdef2897372739

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5zxgxqp\r5zxgxqp.0.vb
Filesize
150B

MD5
de1cb7931f167cba871c26b1b87cfc57

SHA1
d0b314bb3c956581507b9e77e5ba79ce1a66f83b

SHA256
45210f7fb5d10fc4f290fb955c01155b5f06afd25032ac659441ecfc77eaaa63

SHA512
9b0701087661f8e1873a57f06b7b730331439b4ff8e5aa71023e41fec2642b766b27c703ebdaafd268963e4c1f0a832989bad9f5e14e7f38acd5ed4a8bb4e474

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5zxgxqp\r5zxgxqp.cmdline
Filesize
204B

MD5
e39dd4a46b48bfcce2de11ec5afdf3b8

SHA1
298530749498e0990d34994aae2e228915d8d9dc

SHA256
e739545df673b971f62026cdae4a569925c0c3faa844699eb179467c195237c8

SHA512
dce931824e1d31615a752f95b475601d2020a8c66c718b6e5a3361386ac3f70fbbfbd34dacdf9325147432d523c751cb328f0044e5574beaf60fb0de97ec3ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc25131B97197F42D6B5AC57FAB3C4F5B9.TMP
Filesize
1KB

MD5
04602bf0a81f601887f55a9fabcfb1bf

SHA1
bb2dd4f4f6f5e8e9fafac6ad6a030c89bdc80817

SHA256
6725a8648301a9a9a40eda6b7ce2bdbaa908117bebe3f847792a76eaea15c334

SHA512
fdf211ac6a7830a6f067e387ad0ec382ae30d4cff09322365a26236654678b57317cf96beb2037f45886e66fd82a09925d92edc3d67c649992a510597578703b

Download Submit
C:\Users\Admin\AppData\Roaming\igfxTy.exe
Filesize
125KB

MD5
1672081c9a9a80b4f2f31e311958fa2c

SHA1
def154edfe4cb8465677ed3fd9fffe506a307caf

SHA256
0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8

SHA512
ca292e87ec1b297e0e9bf5f8f270e67a13e20b78c0784fc80da421ba039a89104fe7792bc771acd024f48381979688febeffe65cfbbd1e19b52df768b04a50ca

Download Submit
C:\Users\Admin\AppData\Roaming\igfxTy.exe
Filesize
125KB

MD5
1672081c9a9a80b4f2f31e311958fa2c

SHA1
def154edfe4cb8465677ed3fd9fffe506a307caf

SHA256
0ffc68fbcfbbe41a6953e4fec099c7082c8fa733273dadd0c197a600be6db5e8

SHA512
ca292e87ec1b297e0e9bf5f8f270e67a13e20b78c0784fc80da421ba039a89104fe7792bc771acd024f48381979688febeffe65cfbbd1e19b52df768b04a50ca

Download Submit
memory/1716-57-0x0000000000000000-mapping.dmp

Download
memory/1716-61-0x000000001B120000-0x000000001B122000-memory.dmp

Filesize
8KB

Download
memory/1716-60-0x0000000000AF0000-0x0000000000B16000-memory.dmp

Filesize
152KB

Download
memory/1832-65-0x0000000000000000-mapping.dmp

Download
memory/1876-62-0x0000000000000000-mapping.dmp

Download
memory/2040-54-0x0000000000900000-0x0000000000926000-memory.dmp

Filesize
152KB

Download
memory/2040-56-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download
memory/2040-55-0x000000001B200000-0x000000001B202000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads