revengerat | 57d84d42d12c04652cf87f1b1255e0f6ada7674751200ba1d2298941deb5cd44

General

Target

49c17404c6314b837c9f3b49aba9bf7e.ps1
Size

144KB
MD5

49c17404c6314b837c9f3b49aba9bf7e
SHA1

dce337aa57cdf134e0c7a7101353777346e964e2
SHA256

57d84d42d12c04652cf87f1b1255e0f6ada7674751200ba1d2298941deb5cd44
SHA512

8018e8ad4f98cbea91218fd378c3f0a90ab172f6176a6d17016f2d23c1783250fa1467ee2f2023036dd8826816586d90f920f351929ca93d3e710feaf19cb268

Score

10^/10

revengerat mr_ahmed trojan

Malware Config

Extracted

Family

revengerat

Botnet

MR_ahmed

C2

45.147.230.231:2222

Mutex

c416f58db13c4

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exePowerShell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4556	mshta.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4556	PowerShell.exe

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Suspicious use of SetThreadContext 1 IoCs

Processes:

PowerShell.exe

description pid process target process

PID 4388 set thread context of 4548 4388 PowerShell.exe jsc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4492 4512 WerFault.exe powershell.exe

description	pid	process	target process
PID 4388 set thread context of 4548	4388	PowerShell.exe	jsc.exe

pid	pid_target	process	target process
4492	4512	WerFault.exe	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	jsc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jsc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exePowerShell.exe

pid	process
3112	powershell.exe
3112	powershell.exe
4512	powershell.exe
4512	powershell.exe
4388	PowerShell.exe
4388	PowerShell.exe
4388	PowerShell.exe
4388	PowerShell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

powershell.exepowershell.exePowerShell.exe

description	pid	process
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeIncreaseQuotaPrivilege	4512	powershell.exe
Token: SeSecurityPrivilege	4512	powershell.exe
Token: SeTakeOwnershipPrivilege	4512	powershell.exe
Token: SeLoadDriverPrivilege	4512	powershell.exe
Token: SeSystemProfilePrivilege	4512	powershell.exe
Token: SeSystemtimePrivilege	4512	powershell.exe
Token: SeProfSingleProcessPrivilege	4512	powershell.exe
Token: SeIncBasePriorityPrivilege	4512	powershell.exe
Token: SeCreatePagefilePrivilege	4512	powershell.exe
Token: SeBackupPrivilege	4512	powershell.exe
Token: SeRestorePrivilege	4512	powershell.exe
Token: SeShutdownPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeSystemEnvironmentPrivilege	4512	powershell.exe
Token: SeRemoteShutdownPrivilege	4512	powershell.exe
Token: SeUndockPrivilege	4512	powershell.exe
Token: SeManageVolumePrivilege	4512	powershell.exe
Token: 33	4512	powershell.exe
Token: 34	4512	powershell.exe
Token: 35	4512	powershell.exe
Token: 36	4512	powershell.exe
Token: SeDebugPrivilege	4388	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4512	powershell.exe
Token: SeSecurityPrivilege	4512	powershell.exe
Token: SeTakeOwnershipPrivilege	4512	powershell.exe
Token: SeLoadDriverPrivilege	4512	powershell.exe
Token: SeSystemProfilePrivilege	4512	powershell.exe
Token: SeSystemtimePrivilege	4512	powershell.exe
Token: SeProfSingleProcessPrivilege	4512	powershell.exe
Token: SeIncBasePriorityPrivilege	4512	powershell.exe
Token: SeCreatePagefilePrivilege	4512	powershell.exe
Token: SeBackupPrivilege	4512	powershell.exe
Token: SeRestorePrivilege	4512	powershell.exe
Token: SeShutdownPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeSystemEnvironmentPrivilege	4512	powershell.exe
Token: SeRemoteShutdownPrivilege	4512	powershell.exe
Token: SeUndockPrivilege	4512	powershell.exe
Token: SeManageVolumePrivilege	4512	powershell.exe
Token: 33	4512	powershell.exe
Token: 34	4512	powershell.exe
Token: 35	4512	powershell.exe
Token: 36	4512	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

powershell.exepowershell.exePowerShell.exe

description	pid	process	target process
PID 3112 wrote to memory of 4512	3112	powershell.exe	powershell.exe
PID 3112 wrote to memory of 4512	3112	powershell.exe	powershell.exe
PID 4512 wrote to memory of 2772	4512	powershell.exe	WScript.exe
PID 4512 wrote to memory of 2772	4512	powershell.exe	WScript.exe
PID 4388 wrote to memory of 4588	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4588	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4588	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4548	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4548	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4548	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4548	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4548	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4548	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4548	4388	PowerShell.exe	jsc.exe
PID 4388 wrote to memory of 4548	4388	PowerShell.exe	jsc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\49c17404c6314b837c9f3b49aba9bf7e.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.ps1'"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.vbs"
3⤵
PID:2772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4512 -s 2368
3⤵
- Program crash
PID:4492

C:\Windows\system32\mshta.exe
mshta.exe C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.hta
1⤵
- Process spawned unexpected child process
PID:3388

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\CDCELITETZDURXFLXDLWOS.ps1
1⤵
- Process spawned unexpected child process
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
PID:4588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
- Checks processor information in registry
PID:4548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4512 -ip 4512
1⤵
PID:3116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\CDCELITETZDURXFLXDLWOS.ps1
Filesize
140KB

MD5
8c477468d34508fb055130af5ff77490

SHA1
f2e3b8d26ef690aa2bb82f483731a6cf62798edc

SHA256
e931a8c19bdd628a3f041ffb97fee15d8effea525fa48843103e349a6f63182a

SHA512
06fd4463c3b893a03054c46dfea56d7909a3af8334a2fbfaad4e7ae1fe8f8455797c06d32eb273e58c0111795617cb414771034ca07bfd40401959c03206d51d

Download Submit
C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.hta
Filesize
1KB

MD5
413177dd4afafe33eb7c5952d43034c1

SHA1
0a10af7cc12eb204a11111efa7d56026e3626e19

SHA256
ac74a5caefedb5972ab36c73cb14ef26081c2b2252b9c345247544fdeb2e61cf

SHA512
3e8dfcbb0b21bbf619b827b5657f98a1270620ef6406fe6dbcd9c75eceeaadddd853e1e05711bc3e1108e3a765228141b591f3ab850a1f272fa0d29775638275

Download Submit
C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.ps1
Filesize
457B

MD5
5f55e2ba5f18fa00afceee9a423c4080

SHA1
a44178094ac1cc7c6487a833618e03b810e5ae8a

SHA256
00c9f8218e35dd8108257461b6b36e74dabb5054a9de7aca4bfbe0c380107a52

SHA512
c13dbd7e45848e1b9b2abdd5f84a38825f73cabf8cc1f6a3443bc923f102b9d2298d070daa27c3494d013ea9de88395f4caf4a691764d833a47e15efe0191601

Download Submit
C:\ProgramData\YNBKKUFELDSRHTLNWVKDUS\YNBKKUFELDSRHTLNWVKDUS.vbs
Filesize
241B

MD5
369b5c8fb7984dcf1b5161895f568db6

SHA1
709c93fcc43bd6dc37fa47ecc20ab7590a8e095c

SHA256
d1c8024152c41388b106dc3dc45911e69b3f7e555446285701922625d43e1575

SHA512
368db5a79283958c65041986d4a47eeb960c6689f724ad79540936acdcf511f1ca1ba3772fc71d442905a3bb97c226317643a397e37aa465a0840f58a4698e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
27f1abfa31d04afa3c4a830c8bea11b1

SHA1
122876aefbf505dbf73c3235450c9d19d451e430

SHA256
ec0f5d7ea734b81064cc4f46a1a9800b2cfa24aa4cc596b1d91aacf6fc9ff8b6

SHA512
502adaf175576d3f9b6c577103c5903ab70ab73d78e63b4a39da33d8d25206ef55c6bb4ad6a99d4dbe64724e4a4fe1c915968570b93948ddcdaef72af2ad5fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2247453c28acd1eb75cfe181540458a8

SHA1
851fc5a9950d422d76163fdc6a453d6859d56660

SHA256
358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd

SHA512
42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3

Download Submit
memory/2772-131-0x0000000000000000-mapping.dmp

Download
memory/3112-128-0x000001CD3EFE3000-0x000001CD3EFE5000-memory.dmp

Filesize
8KB

Download
memory/3112-127-0x000001CD3EFE0000-0x000001CD3EFE2000-memory.dmp

Filesize
8KB

Download
memory/3112-126-0x000001CD3EFE6000-0x000001CD3EFE8000-memory.dmp

Filesize
8KB

Download
memory/3112-125-0x00007FFDAAC10000-0x00007FFDAB6D1000-memory.dmp

Filesize
10.8MB

Download
memory/3112-124-0x000001CD3F1F0000-0x000001CD3F212000-memory.dmp

Filesize
136KB

Download
memory/4388-141-0x000001BDF0C90000-0x000001BDF0C92000-memory.dmp

Filesize
8KB

Download
memory/4388-144-0x000001BDF0C30000-0x000001BDF0C4A000-memory.dmp

Filesize
104KB

Download
memory/4388-140-0x00007FFDAAC10000-0x00007FFDAB6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4388-143-0x000001BDF0C96000-0x000001BDF0C98000-memory.dmp

Filesize
8KB

Download
memory/4388-142-0x000001BDF0C93000-0x000001BDF0C95000-memory.dmp

Filesize
8KB

Download
memory/4512-137-0x000001DC65AB3000-0x000001DC65AB5000-memory.dmp

Filesize
8KB

Download
memory/4512-138-0x000001DC65AB6000-0x000001DC65AB8000-memory.dmp

Filesize
8KB

Download
memory/4512-136-0x000001DC65AB0000-0x000001DC65AB2000-memory.dmp

Filesize
8KB

Download
memory/4512-135-0x00007FFDAAC10000-0x00007FFDAB6D1000-memory.dmp

Filesize
10.8MB

Download
memory/4512-129-0x0000000000000000-mapping.dmp

Download
memory/4548-146-0x0000000000404F5E-mapping.dmp

Download
memory/4548-145-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4548-147-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/4548-150-0x0000000005D40000-0x0000000005DDC000-memory.dmp

Filesize
624KB

Download
memory/4548-151-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads