revengerat | 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2

Analysis

max time kernel
47s
max time network
55s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-05-2022 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe
Size

22KB
MD5

2793ea0c8c30c836fc53b4d8afd6ff8b
SHA1

a99b960af5a24cb16776d0953a392f0186c1398c
SHA256

117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2
SHA512

cb641b3f0aa28360f0df8e63cb24dc5aaf2365db108473f72f62d495ccfaf34b3601db1d8bfa6f06bdab5d2d27cddb5fd5fa1fb1745989b12234501d64834d52

Score

10^/10

revengerat stealer trojan

Malware Config

Extracted

Family

revengerat

Mutex

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1524-55-0x00000000001D0000-0x00000000001D8000-memory.dmp	revengerat

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 1524 WerFault.exe 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe

description pid process

Token: SeDebugPrivilege 1524 117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe

pid	pid_target	process	target process
1996	1524	WerFault.exe	117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe

description	pid	process
Token: SeDebugPrivilege	1524	117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe

description	pid	process	target process
PID 1524 wrote to memory of 1996	1524	117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe	WerFault.exe
PID 1524 wrote to memory of 1996	1524	117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe	WerFault.exe
PID 1524 wrote to memory of 1996	1524	117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe	WerFault.exe
PID 1524 wrote to memory of 1996	1524	117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe
"C:\Users\Admin\AppData\Local\Temp\117279ffc6d5a75fdb19a3096b9c6e48c7086567d777f1ca69f78aff69b589f2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1480
2⤵
- Program crash
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-54-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/1524-55-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/1524-56-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1996-57-0x0000000000000000-mapping.dmp

Download