revengerat | 83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1

General

Target

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe
Size

56KB
MD5

b82f453f91e18565385e4a7126506fa2
SHA1

54f76a03a48481f8286a3977cb1302e6dce7e592
SHA256

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1
SHA512

3f91dcd61061c51da061b8ed680acc7caef964ad61403b3143a4d20caf4546324b150fe26a2f8b6dc83ca4ae02579d2c7ef9a88414f07873409dd87038c87569

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 12 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2008-59-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/2008-60-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/2008-62-0x000000000040F9CE-mapping.dmp	revengerat
behavioral1/memory/2008-61-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/2008-64-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
\Windows\SysWOW64\system manager.exe	revengerat
\Windows\SysWOW64\system manager.exe	revengerat
C:\Windows\SysWOW64\system manager.exe	revengerat
C:\Windows\SysWOW64\system manager.exe	revengerat
behavioral1/memory/1424-91-0x000000000040F9CE-mapping.dmp	revengerat
behavioral1/memory/1424-95-0x0000000000090000-0x00000000000A4000-memory.dmp	revengerat
behavioral1/memory/1424-97-0x0000000000090000-0x00000000000A4000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

system manager.exe

pid process

1724 system manager.exe
Loads dropped DLL 2 IoCs

Processes:

RegSvcs.exe

pid process

2008 RegSvcs.exe
2008 RegSvcs.exe

pid	process
1724	system manager.exe

pid	process
2008	RegSvcs.exe
2008	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\SysWOW64\\system manager.exe"	RegSvcs.exe

Drops file in System32 directory 4 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\system manager.exe	RegSvcs.exe
File created	C:\Windows\SysWOW64\system manager.exe	RegSvcs.exe
File created	C:\Windows\SysWOW64\system manager.exe	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\system manager.exe	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exeRegSvcs.exesystem manager.exeRegSvcs.exe

description	pid	process	target process
PID 1000 set thread context of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 2008 set thread context of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 1724 set thread context of 1424	1724	system manager.exe	RegSvcs.exe
PID 1424 set thread context of 1924	1424	RegSvcs.exe	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exeRegSvcs.exesystem manager.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe
Token: SeDebugPrivilege	2008	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2008	RegSvcs.exe
Token: SeDebugPrivilege	1724	system manager.exe
Token: SeDebugPrivilege	1424	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1424	RegSvcs.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exeRegSvcs.exesystem manager.exeRegSvcs.exe

description	pid	process	target process
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1000 wrote to memory of 2008	1000	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 336	2008	RegSvcs.exe	RegSvcs.exe
PID 2008 wrote to memory of 1724	2008	RegSvcs.exe	system manager.exe
PID 2008 wrote to memory of 1724	2008	RegSvcs.exe	system manager.exe
PID 2008 wrote to memory of 1724	2008	RegSvcs.exe	system manager.exe
PID 2008 wrote to memory of 1724	2008	RegSvcs.exe	system manager.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1724 wrote to memory of 1424	1724	system manager.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe
PID 1424 wrote to memory of 1924	1424	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe
"C:\Users\Admin\AppData\Local\Temp\83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:336

C:\Windows\SysWOW64\system manager.exe
"C:\Windows\system32\system manager.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lBLOacw.txt

Filesize
38B

MD5
f45b44b8036186aa7b136303999a5367

SHA1
290ea3dff80a8fb72b11a61008dc9b0a685ab25b

SHA256
84795137883e38d48925e9edcabcfd60832352901dfffbf96cc76b17a23cda67

SHA512
ff7d43c4a801b54b100ac40f7a9dfd99a4e56f29fbf72738ff897fed6bf6ee80d4cbd7845c2ee117b69676389aa51bef94fe5f0ac84a2cb9a6910dbf4bf1b883

Download Submit
C:\Users\Admin\AppData\Local\Temp\lBLOacw.txt

Filesize
102B

MD5
7782df1f6b43838e055d99b4668d2bfc

SHA1
5a4adcc361c16779064eb1554e214ee380cdc99d

SHA256
bbae3d71bcab18621ee719be9b2d016add16a726067e3948ed9183d8bc9ed41a

SHA512
1085d9b9383cfeeb098a45dcd116f15371cb5aa7cc6915f626b61903eb90323076f7c97cb6f7d6e0748bfc976db7146babbc2b1f00bfa6da923e0fce33e08e04

Download Submit
C:\Windows\SysWOW64\system manager.exe

Filesize
56KB

MD5
b82f453f91e18565385e4a7126506fa2

SHA1
54f76a03a48481f8286a3977cb1302e6dce7e592

SHA256
83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1

SHA512
3f91dcd61061c51da061b8ed680acc7caef964ad61403b3143a4d20caf4546324b150fe26a2f8b6dc83ca4ae02579d2c7ef9a88414f07873409dd87038c87569

Download Submit
C:\Windows\SysWOW64\system manager.exe

Filesize
56KB

MD5
b82f453f91e18565385e4a7126506fa2

SHA1
54f76a03a48481f8286a3977cb1302e6dce7e592

SHA256
83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1

SHA512
3f91dcd61061c51da061b8ed680acc7caef964ad61403b3143a4d20caf4546324b150fe26a2f8b6dc83ca4ae02579d2c7ef9a88414f07873409dd87038c87569

Download Submit
\Windows\SysWOW64\system manager.exe

Filesize
56KB

MD5
b82f453f91e18565385e4a7126506fa2

SHA1
54f76a03a48481f8286a3977cb1302e6dce7e592

SHA256
83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1

SHA512
3f91dcd61061c51da061b8ed680acc7caef964ad61403b3143a4d20caf4546324b150fe26a2f8b6dc83ca4ae02579d2c7ef9a88414f07873409dd87038c87569

Download Submit
\Windows\SysWOW64\system manager.exe

Filesize
56KB

MD5
b82f453f91e18565385e4a7126506fa2

SHA1
54f76a03a48481f8286a3977cb1302e6dce7e592

SHA256
83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1

SHA512
3f91dcd61061c51da061b8ed680acc7caef964ad61403b3143a4d20caf4546324b150fe26a2f8b6dc83ca4ae02579d2c7ef9a88414f07873409dd87038c87569

Download Submit
memory/336-77-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/336-76-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/336-65-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/336-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/336-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/336-69-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/336-71-0x0000000000408356-mapping.dmp

Download
memory/336-70-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/336-74-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1000-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1000-55-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1424-91-0x000000000040F9CE-mapping.dmp

Download
memory/1424-95-0x0000000000090000-0x00000000000A4000-memory.dmp

Filesize
80KB

Download
memory/1424-97-0x0000000000090000-0x00000000000A4000-memory.dmp

Filesize
80KB

Download
memory/1724-81-0x0000000000000000-mapping.dmp

Download
memory/1724-93-0x000000006FFE0000-0x000000007058B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-111-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/1924-110-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1924-108-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1924-104-0x0000000000408356-mapping.dmp

Download
memory/2008-62-0x000000000040F9CE-mapping.dmp

Download
memory/2008-57-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-60-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads