revengerat | 5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2

General

Target

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
Size

190KB
MD5

a1d732c8477b8e487981c475cfb4fda0
SHA1

afffdaf652d9445aba3f9c3809d555c7224ad201
SHA256

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2
SHA512

0c2db6108881de5fe86d7bd198adb2770b7653c064ed29ce4bb48a9deb86421be8fd6a1424fd2a491ca2f804da2f9d9f21470a5545255746a1a55192500819ff

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1608-64-0x0000000000400000-0x000000000042A000-memory.dmp	revengerat
behavioral1/memory/1608-66-0x0000000000400000-0x000000000042A000-memory.dmp	revengerat
behavioral1/memory/1608-65-0x0000000000400000-0x000000000042A000-memory.dmp	revengerat
behavioral1/memory/1608-67-0x0000000000424F9E-mapping.dmp	revengerat
behavioral1/memory/1608-69-0x0000000000400000-0x000000000042A000-memory.dmp	revengerat
behavioral1/memory/988-92-0x0000000000424F9E-mapping.dmp	revengerat

Suspicious use of SetThreadContext 4 IoCs

Processes:

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 1552 set thread context of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1608 set thread context of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1268 set thread context of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 988 set thread context of 2032	988	RegSvcs.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Powershell.exeRegSvcs.exePowershell.exe

pid process

980 Powershell.exe
1268 RegSvcs.exe
1924 Powershell.exe

pid	process
980	Powershell.exe
1268	RegSvcs.exe
1924	Powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exePowershell.exeRegSvcs.exePowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
Token: SeDebugPrivilege	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
Token: SeDebugPrivilege	980	Powershell.exe
Token: SeDebugPrivilege	1268	RegSvcs.exe
Token: SeDebugPrivilege	1924	Powershell.exe
Token: SeDebugPrivilege	988	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	988	RegSvcs.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exeRegSvcs.exeRegSvcs.exe

description	pid	process	target process
PID 1552 wrote to memory of 980	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	Powershell.exe
PID 1552 wrote to memory of 980	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	Powershell.exe
PID 1552 wrote to memory of 980	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	Powershell.exe
PID 1552 wrote to memory of 980	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	Powershell.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1552 wrote to memory of 1608	1552	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe	RegSvcs.exe
PID 1268 wrote to memory of 1924	1268	RegSvcs.exe	Powershell.exe
PID 1268 wrote to memory of 1924	1268	RegSvcs.exe	Powershell.exe
PID 1268 wrote to memory of 1924	1268	RegSvcs.exe	Powershell.exe
PID 1268 wrote to memory of 1924	1268	RegSvcs.exe	Powershell.exe
PID 1268 wrote to memory of 1796	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 1796	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 1796	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 1796	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 1796	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 1796	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 1796	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 1268 wrote to memory of 988	1268	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe
PID 988 wrote to memory of 2032	988	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
"C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe
"C:\Users\Admin\AppData\Local\Temp\5812bd07a6aa5a3a5418c2eba8b1f5f1f7491581baeb3488d71fbca0bfb892a2.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:2032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jaKuSAtY.txt
Filesize
102B

MD5
1b80a307a8f18e71776685fb3db70dd5

SHA1
bed0d61ab329d104529b08901c6bbec99b6b5304

SHA256
bf3fbf767f323252031d09911a1a0f7b573fe56ee8b15fa1b6bd1a32aa395a73

SHA512
15d9661d803b9e66078b07f18f281e844197176574fa712136b237a315fe6fb275bf9bc1d1b0b9118d5bff911f298310a3053fe50ba5a9abd79356f3a654862e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
045e4001d622feecdc31238edd18083f

SHA1
a27109ab7eacd598a163c7a05f92fc2e0c779fa1

SHA256
ce68e414e08a530c1e13d2707338865116693af33866b842c3a709afa54e2f5d

SHA512
88bccf6553deb98ea8b0a88f5422e2b02c316e626f01a1d1acbcfcb3a81baaa3485873921e8375da5567adcb5f7e2aa08d55f1dd075f11d03a0258ede0e8791f

Download Submit
memory/980-58-0x0000000000000000-mapping.dmp

Download
memory/980-82-0x000000006E940000-0x000000006EEEB000-memory.dmp

Filesize
5.7MB

Download
memory/988-92-0x0000000000424F9E-mapping.dmp

Download
memory/1268-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-76-0x000000000042F31E-mapping.dmp

Download
memory/1268-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-56-0x00000000759E1000-0x00000000759E3000-memory.dmp

Filesize
8KB

Download
memory/1552-54-0x0000000000CB0000-0x0000000000CE4000-memory.dmp

Filesize
208KB

Download
memory/1552-55-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/1552-57-0x0000000000640000-0x000000000066C000-memory.dmp

Filesize
176KB

Download
memory/1552-59-0x00000000006A0000-0x00000000006B4000-memory.dmp

Filesize
80KB

Download
memory/1608-66-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1608-69-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1608-67-0x0000000000424F9E-mapping.dmp

Download
memory/1608-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1608-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1608-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1608-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1924-83-0x0000000000000000-mapping.dmp

Download
memory/1924-99-0x000000006E390000-0x000000006E93B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-100-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2032-101-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2032-95-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2032-98-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2032-102-0x0000000000408356-mapping.dmp

Download
memory/2032-96-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2032-105-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2032-107-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2032-109-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads