revengerat | aaa058a702aa5685df10d86f8af119ce93442a885496104b35719b103c81a52b | Triage

Sharing

General

Target

d6c4ade36b68cf81608e4d020753dac7.ps1
Size

144KB
Sample

220401-b7nplscde4
MD5

d6c4ade36b68cf81608e4d020753dac7
SHA1

5f75f581c64a6e47183b1e6907af080b74f3de01
SHA256

aaa058a702aa5685df10d86f8af119ce93442a885496104b35719b103c81a52b
SHA512

19369bba499912144de311602d6952486146862e2433b51905de529455718d52bebc1bd0a72c08e691caf6cec347184da934be2094040a2d86bc1cbe13fee643

Score

10^/10

revengerat mr_ahmed trojan

Malware Config

Extracted

Family

revengerat

Botnet

MR_ahmed

C2

45.147.230.231:2222

Mutex

c416f58db13c4

Targets

- Target
  
  d6c4ade36b68cf81608e4d020753dac7.ps1
- Size
  
  144KB
- MD5
  
  d6c4ade36b68cf81608e4d020753dac7
- SHA1
  
  5f75f581c64a6e47183b1e6907af080b74f3de01
- SHA256
  
  aaa058a702aa5685df10d86f8af119ce93442a885496104b35719b103c81a52b
- SHA512
  
  19369bba499912144de311602d6952486146862e2433b51905de529455718d52bebc1bd0a72c08e691caf6cec347184da934be2094040a2d86bc1cbe13fee643
Score

10^/10

revengerat mr_ahmed trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

revengeratmr_ahmedtrojan