revengerat | 9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345

General

Target

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe
Size

1.5MB
MD5

2884f56c8fe181ec634e5f5b059e8943
SHA1

a0c30ab484f36e77a27cafc6265f7ce45bf27612
SHA256

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345
SHA512

297475cc382155d85be34e97eec4623580c3fbbef83c3d926d0a436622bb8ec7b6c938225c61e5772df672af8c4ed4a7e5d2d9aa9d3e0209d01b898dab6bf648

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1400-57-0x0000000000850000-0x000000000086A000-memory.dmp	net_reactor

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1400-57-0x0000000000850000-0x000000000086A000-memory.dmp	revengerat

Suspicious use of SetThreadContext 2 IoCs

Processes:

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exeMSBuild.exe

description	pid	process	target process
PID 1400 set thread context of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1724 set thread context of 960	1724	MSBuild.exe	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe
Token: SeDebugPrivilege	1724	MSBuild.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exeMSBuild.exe

description	pid	process	target process
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1400 wrote to memory of 1724	1400	9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe
PID 1724 wrote to memory of 960	1724	MSBuild.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe
"C:\Users\Admin\AppData\Local\Temp\9e36bd5d9ee933eb8cf7aaef9a14bb4a1c85ebaf1630b5b5e3fa5bb2f67cf345.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YawrHJfWfh.txt

Filesize
102B

MD5
02db63e5a1f0c977ff066fbf3c2c4bfe

SHA1
3e1e3dc2ae86ea2408a15e0ed38e797e7423c246

SHA256
54b92a399461b2fd4034f66a7eecfe8dc0f2a4e47b9702ed7ac7179aa571d9fc

SHA512
bbb171d896ae9fbaf6b91c8dfbf64cc73d799d795e378d10d912b31394e9868badf3b81748ed979da919b1fc1bb633409438df9d6666437544008668ef7067fe

Download Submit
memory/960-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-86-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-83-0x0000000000439A92-mapping.dmp

Download
memory/960-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-77-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-56-0x0000000004E85000-0x0000000004E96000-memory.dmp

Filesize
68KB

Download
memory/1400-57-0x0000000000850000-0x000000000086A000-memory.dmp

Filesize
104KB

Download
memory/1400-54-0x0000000001150000-0x00000000012D8000-memory.dmp

Filesize
1.5MB

Download
memory/1400-55-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1724-59-0x0000000000080000-0x0000000000208000-memory.dmp

Filesize
1.5MB

Download
memory/1724-74-0x0000000000080000-0x0000000000208000-memory.dmp

Filesize
1.5MB

Download
memory/1724-71-0x0000000000080000-0x0000000000208000-memory.dmp

Filesize
1.5MB

Download
memory/1724-66-0x0000000000080000-0x0000000000208000-memory.dmp

Filesize
1.5MB

Download
memory/1724-67-0x0000000000080000-0x0000000000208000-memory.dmp

Filesize
1.5MB

Download
memory/1724-65-0x0000000000565272-mapping.dmp

Download
memory/1724-62-0x0000000000080000-0x0000000000208000-memory.dmp

Filesize
1.5MB

Download
memory/1724-61-0x0000000000080000-0x0000000000208000-memory.dmp

Filesize
1.5MB

Download
memory/1724-58-0x0000000000080000-0x0000000000208000-memory.dmp

Filesize
1.5MB

Download
memory/1724-89-0x0000000004E15000-0x0000000004E26000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads