revengerat | d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508

Analysis

max time kernel
29s
max time network
55s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-05-2022 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe
Size

24KB
MD5

9b30e0894ba18b3a4fe54359c5c5363b
SHA1

f1546abf3818a139f1da3ff9e2b36e17c5d88279
SHA256

d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508
SHA512

94ea4bc1660b01a5fa677c4a56d77bccdf270d74b3714adccc19acd4bcffa5e5967930fb2fa3755b03171fd0e239dc2d4ac4cce923ed758a648c4cc905b92a07

Score

10^/10

revengerat stealer trojan

Malware Config

Extracted

Family

revengerat

Mutex

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/704-55-0x0000000000300000-0x0000000000308000-memory.dmp	revengerat

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

840 704 WerFault.exe d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe

description pid process

Token: SeDebugPrivilege 704 d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe

pid	pid_target	process	target process
840	704	WerFault.exe	d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe

description	pid	process
Token: SeDebugPrivilege	704	d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe

description	pid	process	target process
PID 704 wrote to memory of 840	704	d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe	WerFault.exe
PID 704 wrote to memory of 840	704	d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe	WerFault.exe
PID 704 wrote to memory of 840	704	d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe	WerFault.exe
PID 704 wrote to memory of 840	704	d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe
"C:\Users\Admin\AppData\Local\Temp\d36dd01b3378deeaa54f64ffb33d9b752bc28ecc832a83a2a0c974f2eae77508.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 1484
2⤵
- Program crash
PID:840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/704-54-0x0000000001270000-0x000000000127C000-memory.dmp

Filesize
48KB

Download
memory/704-55-0x0000000000300000-0x0000000000308000-memory.dmp

Filesize
32KB

Download
memory/704-56-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/840-57-0x0000000000000000-mapping.dmp

Download