revengerat | 365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f

General

Target

365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe
Size

231KB
MD5

09cd267ca92d6c3dcbaa05e70477962f
SHA1

a9786770752e9f6ca8a49f109cf9fe9783e5aa9d
SHA256

365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f
SHA512

87bfe294cdcd711a44976f8aec1aa51d48fe9cc83ed08ab6ef04a1c144fb545874f517d9f9232f1fef2bc154b8da0cda6d3259bf8952ebb683e69b04c09bb83a

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

195.206.106.176:7865

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5084-136-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4652 Client.exe

pid	process
4652	Client.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe

description	pid	process	target process
PID 1732 set thread context of 5084	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe
Token: SeDebugPrivilege	5084	InstallUtil.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exeInstallUtil.exe

description	pid	process	target process
PID 1732 wrote to memory of 5084	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe	InstallUtil.exe
PID 1732 wrote to memory of 5084	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe	InstallUtil.exe
PID 1732 wrote to memory of 5084	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe	InstallUtil.exe
PID 1732 wrote to memory of 5084	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe	InstallUtil.exe
PID 1732 wrote to memory of 5084	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe	InstallUtil.exe
PID 1732 wrote to memory of 5084	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe	InstallUtil.exe
PID 1732 wrote to memory of 5084	1732	365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe	InstallUtil.exe
PID 5084 wrote to memory of 4652	5084	InstallUtil.exe	Client.exe
PID 5084 wrote to memory of 4652	5084	InstallUtil.exe	Client.exe
PID 5084 wrote to memory of 4652	5084	InstallUtil.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe
"C:\Users\Admin\AppData\Local\Temp\365d0d94f8f8aa65f2eb9a6080d023ca3b3828bbf1c96776a256084958e7b05f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
3⤵
- Executes dropped EXE
PID:4652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
memory/1732-133-0x000000000A0B0000-0x000000000A142000-memory.dmp

Filesize
584KB

Download
memory/1732-130-0x0000000000AC0000-0x0000000000B00000-memory.dmp

Filesize
256KB

Download
memory/1732-134-0x00000000067D0000-0x00000000067F2000-memory.dmp

Filesize
136KB

Download
memory/1732-132-0x000000000A480000-0x000000000AA24000-memory.dmp

Filesize
5.6MB

Download
memory/1732-131-0x0000000005460000-0x00000000054FC000-memory.dmp

Filesize
624KB

Download
memory/4652-138-0x0000000000000000-mapping.dmp

Download
memory/4652-141-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/4652-142-0x0000000004AF0000-0x0000000004B0A000-memory.dmp

Filesize
104KB

Download
memory/5084-135-0x0000000000000000-mapping.dmp

Download
memory/5084-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5084-137-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads