revengerat | aaa058a702aa5685df10d86f8af119ce93442a885496104b35719b103c81a52b

General

Target

d6c4ade36b68cf81608e4d020753dac7.ps1
Size

144KB
MD5

d6c4ade36b68cf81608e4d020753dac7
SHA1

5f75f581c64a6e47183b1e6907af080b74f3de01
SHA256

aaa058a702aa5685df10d86f8af119ce93442a885496104b35719b103c81a52b
SHA512

19369bba499912144de311602d6952486146862e2433b51905de529455718d52bebc1bd0a72c08e691caf6cec347184da934be2094040a2d86bc1cbe13fee643

Score

10^/10

revengerat mr_ahmed trojan

Malware Config

Extracted

Family

revengerat

Botnet

MR_ahmed

C2

45.147.230.231:2222

Mutex

c416f58db13c4

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exePowerShell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	1252	mshta.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	1252	PowerShell.exe

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

PowerShell.exe

description pid process target process

PID 3244 set thread context of 2260 3244 PowerShell.exe jsc.exe

description	pid	process	target process
PID 3244 set thread context of 2260	3244	PowerShell.exe	jsc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	jsc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jsc.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exePowerShell.exe

pid process

2248 powershell.exe
2248 powershell.exe
4520 powershell.exe
4520 powershell.exe
3244 PowerShell.exe
3244 PowerShell.exe

pid	process
2248	powershell.exe
2248	powershell.exe
4520	powershell.exe
4520	powershell.exe
3244	PowerShell.exe
3244	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exePowerShell.exe

description	pid	process
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	3244	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4520	powershell.exe
Token: SeSecurityPrivilege	4520	powershell.exe
Token: SeTakeOwnershipPrivilege	4520	powershell.exe
Token: SeLoadDriverPrivilege	4520	powershell.exe
Token: SeSystemProfilePrivilege	4520	powershell.exe
Token: SeSystemtimePrivilege	4520	powershell.exe
Token: SeProfSingleProcessPrivilege	4520	powershell.exe
Token: SeIncBasePriorityPrivilege	4520	powershell.exe
Token: SeCreatePagefilePrivilege	4520	powershell.exe
Token: SeBackupPrivilege	4520	powershell.exe
Token: SeRestorePrivilege	4520	powershell.exe
Token: SeShutdownPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeSystemEnvironmentPrivilege	4520	powershell.exe
Token: SeRemoteShutdownPrivilege	4520	powershell.exe
Token: SeUndockPrivilege	4520	powershell.exe
Token: SeManageVolumePrivilege	4520	powershell.exe
Token: 33	4520	powershell.exe
Token: 34	4520	powershell.exe
Token: 35	4520	powershell.exe
Token: 36	4520	powershell.exe
Token: SeIncreaseQuotaPrivilege	4520	powershell.exe
Token: SeSecurityPrivilege	4520	powershell.exe
Token: SeTakeOwnershipPrivilege	4520	powershell.exe
Token: SeLoadDriverPrivilege	4520	powershell.exe
Token: SeSystemProfilePrivilege	4520	powershell.exe
Token: SeSystemtimePrivilege	4520	powershell.exe
Token: SeProfSingleProcessPrivilege	4520	powershell.exe
Token: SeIncBasePriorityPrivilege	4520	powershell.exe
Token: SeCreatePagefilePrivilege	4520	powershell.exe
Token: SeBackupPrivilege	4520	powershell.exe
Token: SeRestorePrivilege	4520	powershell.exe
Token: SeShutdownPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeSystemEnvironmentPrivilege	4520	powershell.exe
Token: SeRemoteShutdownPrivilege	4520	powershell.exe
Token: SeUndockPrivilege	4520	powershell.exe
Token: SeManageVolumePrivilege	4520	powershell.exe
Token: 33	4520	powershell.exe
Token: 34	4520	powershell.exe
Token: 35	4520	powershell.exe
Token: 36	4520	powershell.exe
Token: SeIncreaseQuotaPrivilege	4520	powershell.exe
Token: SeSecurityPrivilege	4520	powershell.exe
Token: SeTakeOwnershipPrivilege	4520	powershell.exe
Token: SeLoadDriverPrivilege	4520	powershell.exe
Token: SeSystemProfilePrivilege	4520	powershell.exe
Token: SeSystemtimePrivilege	4520	powershell.exe
Token: SeProfSingleProcessPrivilege	4520	powershell.exe
Token: SeIncBasePriorityPrivilege	4520	powershell.exe
Token: SeCreatePagefilePrivilege	4520	powershell.exe
Token: SeBackupPrivilege	4520	powershell.exe
Token: SeRestorePrivilege	4520	powershell.exe
Token: SeShutdownPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeSystemEnvironmentPrivilege	4520	powershell.exe
Token: SeRemoteShutdownPrivilege	4520	powershell.exe
Token: SeUndockPrivilege	4520	powershell.exe
Token: SeManageVolumePrivilege	4520	powershell.exe
Token: 33	4520	powershell.exe
Token: 34	4520	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exepowershell.exePowerShell.exe

description	pid	process	target process
PID 2248 wrote to memory of 4520	2248	powershell.exe	powershell.exe
PID 2248 wrote to memory of 4520	2248	powershell.exe	powershell.exe
PID 4520 wrote to memory of 4540	4520	powershell.exe	WScript.exe
PID 4520 wrote to memory of 4540	4520	powershell.exe	WScript.exe
PID 3244 wrote to memory of 2260	3244	PowerShell.exe	jsc.exe
PID 3244 wrote to memory of 2260	3244	PowerShell.exe	jsc.exe
PID 3244 wrote to memory of 2260	3244	PowerShell.exe	jsc.exe
PID 3244 wrote to memory of 2260	3244	PowerShell.exe	jsc.exe
PID 3244 wrote to memory of 2260	3244	PowerShell.exe	jsc.exe
PID 3244 wrote to memory of 2260	3244	PowerShell.exe	jsc.exe
PID 3244 wrote to memory of 2260	3244	PowerShell.exe	jsc.exe
PID 3244 wrote to memory of 2260	3244	PowerShell.exe	jsc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\d6c4ade36b68cf81608e4d020753dac7.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.vbs"
    3⤵
    PID:4540

C:\Windows\system32\mshta.exe
mshta.exe C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.hta
1⤵
- Process spawned unexpected child process
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\YHZYJGKGYAFXQEZFSRCPPY.ps1
1⤵
- Process spawned unexpected child process
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Checks processor information in registry
  PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.hta

Filesize
1KB

MD5
0d8a343d40a1b39911f99a4a90945f15

SHA1
14e929c8802ceead8f99f021cae794898cdc7b63

SHA256
307a105c994653aa1105f9d24361ca639b6810cf0d16619a76bbc00a7068a1ea

SHA512
91540228f349862be9691b0494e5d5165739673059deab2489f3c70f55dd6a480e03168e54f417f61b714965f732c041fac8d4ec9b1b73d829287c910aa08016

Download Submit
C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.ps1

Filesize
457B

MD5
f5b5dde5380cf041a4a9dd22e7000ec0

SHA1
64fb2e552fbf90fb611a175a3394d17c8666a181

SHA256
6ab8b8f9182d071179154757bcc71e8549a51bca67162355acaf4e9689946030

SHA512
deb685124b3c869e9553c9584e7d38fdad4cc191d43ae531fecc29e736be69571c03e4f021926dad923bc0cdf8aa49a12fcd94b0a1ee1cc42550d47d4af57e6b

Download Submit
C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\IICOZODNLSRPOHUBAJWZFK.vbs

Filesize
241B

MD5
56095721c87afb22ad91288a8ab5bb3e

SHA1
fdacb1a38b8e7f9a8e0fd6c138fc145315647511

SHA256
494c29aba65b0904efabc329e621fd45218bc43dc48dac0d21f88526c4b64fb3

SHA512
fda47210abe11874ba52e50263e5f232c38b011d08b4fb2a5062c8c85dbe8d94083ebd288caf032dbca2655417b930b5f92a1bec929e46ea1cdbd7498900d601

Download Submit
C:\ProgramData\IICOZODNLSRPOHUBAJWZFK\YHZYJGKGYAFXQEZFSRCPPY.ps1

Filesize
140KB

MD5
0c6860815643fd936f04c6c78c7fbfe1

SHA1
f2b20c69f67f32c2731e7f7611bc329db9d3cbd9

SHA256
37a94b72cec528ffaa6fb82559ba2dc0b82bc1270edc85e7cee98d16f6b9c242

SHA512
0dd9b63a92479b55f4e4b324bc10f26d684ae95420d151a958196257c2c36926bc5592cc042cb1207a3991fd75bd2248b6ce54436dbea31a261aebe39db036a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc35bf2367ee5c6feb084ab39f5c26eb

SHA1
cd9742c05391a92780a81fe836797a5909c7f9c1

SHA256
7ad08f1c2e7df4102eb3a6d213f4a0c245300c275fd53e463655a8ab9fa3ec64

SHA512
0b6662ea93907902c9f5db98bed4e9d322a69e7b8df921f6b8bd8026fdbfa556b0afe29013e3ecc8982a6339c48b4fe371ba587f02c39de72cb3840ed0e6747b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
114c984765eb689044341de54b5a3aea

SHA1
9b5a91858d34447b8c9d2fc3d7f3d8590370bd63

SHA256
bc1a08e1240cc558ce236b397c93cd070420fadf35e76621ae833dab0a1462d0

SHA512
4c80de26024941a1d4295a5dd41ca15331fd02d32371a53391ed38ff736cc42c44d7e1b059dd17648a6e9fc35f5ab78cba2d5a3f86aaa9f0661ae8920cd0d332

Download Submit
memory/2248-128-0x0000016196CA3000-0x0000016196CA5000-memory.dmp

Filesize
8KB

Download
memory/2248-124-0x00000161B2BF0000-0x00000161B2C12000-memory.dmp

Filesize
136KB

Download
memory/2248-127-0x0000016196CA0000-0x0000016196CA2000-memory.dmp

Filesize
8KB

Download
memory/2248-126-0x0000016196CA6000-0x0000016196CA8000-memory.dmp

Filesize
8KB

Download
memory/2248-125-0x00007FFAD3310000-0x00007FFAD3DD1000-memory.dmp

Filesize
10.8MB

Download
memory/2260-149-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/2260-145-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2260-150-0x0000000005B00000-0x0000000005B9C000-memory.dmp

Filesize
624KB

Download
memory/2260-146-0x0000000000404F5E-mapping.dmp

Download
memory/2260-151-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/3244-140-0x00007FFAD3310000-0x00007FFAD3DD1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-141-0x0000020F30400000-0x0000020F30402000-memory.dmp

Filesize
8KB

Download
memory/3244-142-0x0000020F30403000-0x0000020F30405000-memory.dmp

Filesize
8KB

Download
memory/3244-144-0x0000020F30380000-0x0000020F3039A000-memory.dmp

Filesize
104KB

Download
memory/3244-143-0x0000020F30406000-0x0000020F30408000-memory.dmp

Filesize
8KB

Download
memory/4520-138-0x0000016C15406000-0x0000016C15408000-memory.dmp

Filesize
8KB

Download
memory/4520-130-0x00007FFAD3310000-0x00007FFAD3DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-131-0x0000016C15400000-0x0000016C15402000-memory.dmp

Filesize
8KB

Download
memory/4520-132-0x0000016C15403000-0x0000016C15405000-memory.dmp

Filesize
8KB

Download
memory/4520-129-0x0000000000000000-mapping.dmp

Download
memory/4540-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads