revengerat | fa57f7cba4406d815947a3a2481842f6b0e1c6d82cb3e78d0526b1921222363b

General

Target

FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
Size

1.2MB
MD5

c254954614087279f57a4ccf72b0f17e
SHA1

c9d682effba1ee1e88dc85d8266b8ed4856ffad7
SHA256

fa57f7cba4406d815947a3a2481842f6b0e1c6d82cb3e78d0526b1921222363b
SHA512

c3a0cc93d2db9f02ab404272ede18ad4b17345eae431b040b80713d8e4b684ccb5b4be09675afcdf751d45bf90e1b8ac903f2e5d3ba27d36d2976a883d981187

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1788-68-0x00000000003A0000-0x00000000003B8000-memory.dmp	revengerat
behavioral1/memory/1356-85-0x0000000000310000-0x0000000000328000-memory.dmp	revengerat

Executes dropped EXE 2 IoCs

Processes:

nep.exetemp987879.exe

pid process

1664 nep.exe
1788 temp987879.exe
Loads dropped DLL 2 IoCs

Processes:

FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe

pid process

276 FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276 FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe

pid	process
1664	nep.exe
1788	temp987879.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\temp987879.exe"	InstallUtil.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

temp987879.exeInstallUtil.exe

description	pid	process	target process
PID 1788 set thread context of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1356 set thread context of 732	1356	InstallUtil.exe	InstallUtil.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

temp987879.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 1788 temp987879.exe
Token: SeDebugPrivilege 1356 InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1788	temp987879.exe
Token: SeDebugPrivilege	1356	InstallUtil.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe

pid	process
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe

pid	process
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exetemp987879.exeInstallUtil.exe

description	pid	process	target process
PID 276 wrote to memory of 1664	276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe	nep.exe
PID 276 wrote to memory of 1664	276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe	nep.exe
PID 276 wrote to memory of 1664	276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe	nep.exe
PID 276 wrote to memory of 1664	276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe	nep.exe
PID 276 wrote to memory of 1788	276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe	temp987879.exe
PID 276 wrote to memory of 1788	276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe	temp987879.exe
PID 276 wrote to memory of 1788	276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe	temp987879.exe
PID 276 wrote to memory of 1788	276	FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe	temp987879.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1788 wrote to memory of 1356	1788	temp987879.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe
PID 1356 wrote to memory of 732	1356	InstallUtil.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe
"C:\Users\Admin\AppData\Local\Temp\FA57F7CBA4406D815947A3A2481842F6B0E1C6D82CB3E.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:276
- C:\Users\Admin\AppData\Roaming\Microsoft\nep.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\nep.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Users\Admin\AppData\Roaming\Microsoft\temp987879.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\temp987879.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qIqbexi.txt

Filesize
55B

MD5
2a2c0a9b9eaefc42f7d37d6b81cd22b1

SHA1
1cb28f3d767abac11bb3602a900cfbb1cfaa1d22

SHA256
78424234f3eb27d71afe40cfdb4366068734670257ad2845681152145e9b3ef9

SHA512
6e2aa4e94d5b537c7a4fc839e788d7f20e1838ad92fadb4efaa0c2c1363c4be91c7a7bcc16914261152a0836a8b3079e2d643dca45ba4f28f5ab4d67420f8f75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nep.exe

Filesize
141KB

MD5
b0357e7983f063ee315da468d588ec56

SHA1
da3b5d6fa1c9f7af8e4c65be69299d8c8b6a1fa1

SHA256
50712085a9304b703b0b2ef4ea501db68e8a8548f3a87f39f2c84ed651cd42a7

SHA512
386d6c56d80f3f56265307c428ecbe528056767b780c0f0808873ecbb6d4aeaec0526e1739500845676b9ef68e921698b0b157a26117c7c941e51f107b1f4ce6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nep.exe

Filesize
141KB

MD5
b0357e7983f063ee315da468d588ec56

SHA1
da3b5d6fa1c9f7af8e4c65be69299d8c8b6a1fa1

SHA256
50712085a9304b703b0b2ef4ea501db68e8a8548f3a87f39f2c84ed651cd42a7

SHA512
386d6c56d80f3f56265307c428ecbe528056767b780c0f0808873ecbb6d4aeaec0526e1739500845676b9ef68e921698b0b157a26117c7c941e51f107b1f4ce6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\temp987879.exe

Filesize
582KB

MD5
cbb9b9506a9f6253c6909d64d2fdb4f6

SHA1
37eb92fa22c2d69d7dd69114254e45c37828890a

SHA256
d414f44504e8c85ffa4c84deca2f18e3d7ac5f6787117538372d40f33e98a92d

SHA512
dd6a39359c3ff8837284e1ad418c47d921abfd38aa7afccdc766c4ba98de9d4dace8c15239c50c67fb2cfe7d27c9b591bb6224f9584ae3b0152b7c2133b201e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\temp987879.exe

Filesize
582KB

MD5
cbb9b9506a9f6253c6909d64d2fdb4f6

SHA1
37eb92fa22c2d69d7dd69114254e45c37828890a

SHA256
d414f44504e8c85ffa4c84deca2f18e3d7ac5f6787117538372d40f33e98a92d

SHA512
dd6a39359c3ff8837284e1ad418c47d921abfd38aa7afccdc766c4ba98de9d4dace8c15239c50c67fb2cfe7d27c9b591bb6224f9584ae3b0152b7c2133b201e0

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\nep.exe

Filesize
141KB

MD5
b0357e7983f063ee315da468d588ec56

SHA1
da3b5d6fa1c9f7af8e4c65be69299d8c8b6a1fa1

SHA256
50712085a9304b703b0b2ef4ea501db68e8a8548f3a87f39f2c84ed651cd42a7

SHA512
386d6c56d80f3f56265307c428ecbe528056767b780c0f0808873ecbb6d4aeaec0526e1739500845676b9ef68e921698b0b157a26117c7c941e51f107b1f4ce6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\temp987879.exe

Filesize
582KB

MD5
cbb9b9506a9f6253c6909d64d2fdb4f6

SHA1
37eb92fa22c2d69d7dd69114254e45c37828890a

SHA256
d414f44504e8c85ffa4c84deca2f18e3d7ac5f6787117538372d40f33e98a92d

SHA512
dd6a39359c3ff8837284e1ad418c47d921abfd38aa7afccdc766c4ba98de9d4dace8c15239c50c67fb2cfe7d27c9b591bb6224f9584ae3b0152b7c2133b201e0

Download Submit
memory/276-54-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/732-95-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/732-92-0x0000000000407286-mapping.dmp

Download
memory/732-97-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/732-90-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/732-91-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/732-86-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/732-87-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/732-89-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1356-70-0x0000000000090000-0x0000000000128000-memory.dmp

Filesize
608KB

Download
memory/1356-69-0x0000000000090000-0x0000000000128000-memory.dmp

Filesize
608KB

Download
memory/1356-73-0x0000000000090000-0x0000000000128000-memory.dmp

Filesize
608KB

Download
memory/1356-75-0x0000000000492ED2-mapping.dmp

Download
memory/1356-76-0x0000000000090000-0x0000000000128000-memory.dmp

Filesize
608KB

Download
memory/1356-77-0x0000000000090000-0x0000000000128000-memory.dmp

Filesize
608KB

Download
memory/1356-81-0x0000000000090000-0x0000000000128000-memory.dmp

Filesize
608KB

Download
memory/1356-84-0x0000000000090000-0x0000000000128000-memory.dmp

Filesize
608KB

Download
memory/1356-85-0x0000000000310000-0x0000000000328000-memory.dmp

Filesize
96KB

Download
memory/1356-72-0x0000000000090000-0x0000000000128000-memory.dmp

Filesize
608KB

Download
memory/1664-67-0x000000001AFC6000-0x000000001AFE5000-memory.dmp

Filesize
124KB

Download
memory/1664-66-0x000000001AFC0000-0x000000001AFC2000-memory.dmp

Filesize
8KB

Download
memory/1664-63-0x0000000000F00000-0x0000000000F2A000-memory.dmp

Filesize
168KB

Download
memory/1664-56-0x0000000000000000-mapping.dmp

Download
memory/1788-68-0x00000000003A0000-0x00000000003B8000-memory.dmp

Filesize
96KB

Download
memory/1788-65-0x000000001B080000-0x000000001B082000-memory.dmp

Filesize
8KB

Download
memory/1788-64-0x0000000000BB0000-0x0000000000C48000-memory.dmp

Filesize
608KB

Download
memory/1788-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads