revengerat | 2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55

General

Target

2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe
Size

70KB
MD5

407b61f6bd7985c856ba370dde95daee
SHA1

45023210e16863ce86957c11178eca2f7a9a184c
SHA256

2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55
SHA512

511ff1d524ce06dfbc9f32283b0c2e9a7068a01d8cc6bbe6a70980661fc8a377c0d4241251516d6c3c01fd1113e595fa319f9e53ca0c93574a180d7bdec071a2

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/536-59-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/536-60-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/536-61-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/536-63-0x000000000040F0EE-mapping.dmp	revengerat
behavioral1/memory/536-62-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/536-65-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\ques = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe"	InstallUtil.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exeInstallUtil.exe

description	pid	process	target process
PID 1324 set thread context of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 536 set thread context of 1608	536	InstallUtil.exe	InstallUtil.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe
Token: SeDebugPrivilege	536	InstallUtil.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exeInstallUtil.exe

description	pid	process	target process
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 1324 wrote to memory of 536	1324	2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe
PID 536 wrote to memory of 1608	536	InstallUtil.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe
"C:\Users\Admin\AppData\Local\Temp\2503591813db469e7a22ecdfc233b7e91a85821c6f2beaf05e406f722dae2e55.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tawrHJfWfh.txt

Filesize
102B

MD5
a2844417eb0b3d2fe296515b95e35159

SHA1
ef993d8459beacf5e70292f26919e9519207563f

SHA256
a5d619d7dea87e1723c1285e8dc9e600c9f7dd4e523f059918b9c7be443856ec

SHA512
3381f1665fafb324189145ec8995e23bcbb3c015096a81da32e027ebd489e946d4b79650636df2af8d7eef21523435fd5bb8631c8d258d9f8a077a545e9e35bb

Download Submit
memory/536-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/536-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/536-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/536-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/536-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/536-63-0x000000000040F0EE-mapping.dmp

Download
memory/536-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/536-65-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/536-86-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-55-0x0000000074D40000-0x00000000752EB000-memory.dmp

Filesize
5.7MB

Download
memory/1324-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1608-71-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1608-68-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1608-73-0x000000000040587E-mapping.dmp

Download
memory/1608-67-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1608-75-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1608-76-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1608-80-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1608-83-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/1608-85-0x0000000074790000-0x0000000074D3B000-memory.dmp

Filesize
5.7MB

Download
memory/1608-70-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads