revengerat | 5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997

General

Target

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe
Size

943KB
MD5

0c2f6990335ab2e2593fa2426b41bdb9
SHA1

96c6a1d912373cd9d493619f19363da0c3efb792
SHA256

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997
SHA512

8e8914384d009cc5f7dccae38d57877f9152227839b0ccd2e2a70b02848fbda744704b4978976f91c30ca336fe9793c75fd56a2b09a883d531b48fc88db87b43

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

ournewcompany2.hopto.org:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1000-132-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/1000-133-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral2/memory/2848-138-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/2848-139-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral2/memory/3092-142-0x0000000000000000-mapping.dmp	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1.exe	WScript.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe

description	pid	process	target process
PID 1768 set thread context of 1000	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 set thread context of 3952	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 set thread context of 3116	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 set thread context of 2848	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 set thread context of 2412	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 set thread context of 3092	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4780	3116	WerFault.exe	RegAsm.exe
868	3952	WerFault.exe	RegAsm.exe
4448	2848	WerFault.exe	RegAsm.exe
5024	2412	WerFault.exe	RegAsm.exe
3544	2848	WerFault.exe	RegAsm.exe

Modifies registry class 1 IoCs

Processes:

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3092 RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3092	RegAsm.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe

description	pid	process	target process
PID 1768 wrote to memory of 1536	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	WScript.exe
PID 1768 wrote to memory of 1536	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	WScript.exe
PID 1768 wrote to memory of 1536	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	WScript.exe
PID 1768 wrote to memory of 1000	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 1000	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 1000	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 1000	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 1000	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 1000	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 1000	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3952	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3952	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3952	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3952	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3116	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3116	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3116	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3116	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2848	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2848	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2848	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2848	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2848	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2848	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2848	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2412	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2412	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2412	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 2412	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3092	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3092	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3092	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3092	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3092	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3092	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe
PID 1768 wrote to memory of 3092	1768	5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe
"C:\Users\Admin\AppData\Local\Temp\5b5255c6f73275be042f41567681153584385c36eb98ab0dfc9b4aac9c3ee997.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\1.vbs"
2⤵
- Drops startup file
PID:1536

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1000

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 80
3⤵
- Program crash
PID:868

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 80
3⤵
- Program crash
PID:4780

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 12
3⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 20
3⤵
- Program crash
PID:3544

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 80
3⤵
- Program crash
PID:5024

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2848 -ip 2848
1⤵
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2412 -ip 2412
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3116 -ip 3116
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3952 -ip 3952
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2848 -ip 2848
1⤵
PID:3652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1.vbs
Filesize
355B

MD5
a031215df07e202bd306c7c4909417f7

SHA1
96e850d134498f448caf6597279c97ddefab7d3b

SHA256
07121a00ad5494ac1d1efccc33c03555e47d58a54dc27257984657665c23fa9c

SHA512
5c76dfbfcd302831da5855f0d984d27f868a39af457a626a2c47449fd1a74a90a7dc45c151831ae42834c45484ec4d1ee1c778dcd5e6b66085d33868165cff36

Download Submit
memory/1000-132-0x0000000000000000-mapping.dmp

Download
memory/1000-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1000-145-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/1536-130-0x0000000000000000-mapping.dmp

Download
memory/2412-140-0x0000000000000000-mapping.dmp

Download
memory/2848-138-0x0000000000000000-mapping.dmp

Download
memory/2848-139-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3092-142-0x0000000000000000-mapping.dmp

Download
memory/3092-144-0x0000000074A30000-0x0000000074FE1000-memory.dmp

Filesize
5.7MB

Download
memory/3116-136-0x0000000000000000-mapping.dmp

Download
memory/3952-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads