revengerat | 5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997

General

Target

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe
Size

943KB
MD5

0c2f6990335ab2e2593fa2426b41bdb9
SHA1

96c6a1d912373cd9d493619f19363da0c3efb792
SHA256

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997
SHA512

8e8914384d009cc5f7dccae38d57877f9152227839b0ccd2e2a70b02848fbda744704b4978976f91c30ca336fe9793c75fd56a2b09a883d531b48fc88db87b43

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

ournewcompany2.hopto.org:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 9 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/940-63-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/940-64-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/940-65-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/940-68-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/940-72-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1020-85-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/2036-75-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/432-95-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/1332-105-0x0000000000405DCE-mapping.dmp	revengerat

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe	WScript.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe

description	pid	process	target process
PID 1580 set thread context of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 set thread context of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 set thread context of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 set thread context of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 set thread context of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 set thread context of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 940 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	940	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe

description	pid	process	target process
PID 1580 wrote to memory of 112	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	WScript.exe
PID 1580 wrote to memory of 112	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	WScript.exe
PID 1580 wrote to memory of 112	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	WScript.exe
PID 1580 wrote to memory of 112	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	WScript.exe
PID 1580 wrote to memory of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 940	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 2036	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1020	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 432	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1580 wrote to memory of 1332	1580	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe
"C:\Users\Admin\AppData\Local\Temp\5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\1.vbs"
2⤵
- Drops startup file
PID:112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1020

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:432

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.vbs
Filesize
355B

MD5
a031215df07e202bd306c7c4909417f7

SHA1
96e850d134498f448caf6597279c97ddefab7d3b

SHA256
07121a00ad5494ac1d1efccc33c03555e47d58a54dc27257984657665c23fa9c

SHA512
5c76dfbfcd302831da5855f0d984d27f868a39af457a626a2c47449fd1a74a90a7dc45c151831ae42834c45484ec4d1ee1c778dcd5e6b66085d33868165cff36

Download Submit
memory/112-55-0x0000000000000000-mapping.dmp

Download
memory/432-95-0x0000000000405DCE-mapping.dmp

Download
memory/432-115-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/940-65-0x0000000000405DCE-mapping.dmp

Download
memory/940-60-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/940-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/940-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/940-117-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/940-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/940-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/940-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1020-85-0x0000000000405DCE-mapping.dmp

Download
memory/1332-105-0x0000000000405DCE-mapping.dmp

Download
memory/1332-116-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-54-0x0000000076811000-0x0000000076813000-memory.dmp

Filesize
8KB

Download
memory/2020-59-0x0000000000405DCE-mapping.dmp

Download
memory/2036-75-0x0000000000405DCE-mapping.dmp

Download
memory/2036-118-0x00000000743D0000-0x000000007497B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads