revengerat | 83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1

General

Target

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe
Size

56KB
MD5

b82f453f91e18565385e4a7126506fa2
SHA1

54f76a03a48481f8286a3977cb1302e6dce7e592
SHA256

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1
SHA512

3f91dcd61061c51da061b8ed680acc7caef964ad61403b3143a4d20caf4546324b150fe26a2f8b6dc83ca4ae02579d2c7ef9a88414f07873409dd87038c87569

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1848-131-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral2/memory/1848-133-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
C:\Windows\SysWOW64\system manager.exe	revengerat
C:\Windows\SysWOW64\system manager.exe	revengerat
behavioral2/memory/1944-150-0x0000000000780000-0x0000000000794000-memory.dmp	revengerat
behavioral2/memory/1944-153-0x0000000000780000-0x0000000000794000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

system manager.exe

pid process

4668 system manager.exe

pid	process
4668	system manager.exe

Drops file in System32 directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\system manager.exe	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\system manager.exe	RegSvcs.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exeRegSvcs.exesystem manager.exe

description	pid	process	target process
PID 1580 set thread context of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1848 set thread context of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 4668 set thread context of 1944	4668	system manager.exe	RegSvcs.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2200 1944 WerFault.exe RegSvcs.exe

pid	pid_target	process	target process
2200	1944	WerFault.exe	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exeRegSvcs.exesystem manager.exe

description	pid	process
Token: SeDebugPrivilege	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe
Token: SeDebugPrivilege	1848	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1848	RegSvcs.exe
Token: SeDebugPrivilege	4668	system manager.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exeRegSvcs.exesystem manager.exe

description	pid	process	target process
PID 1580 wrote to memory of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1580 wrote to memory of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1580 wrote to memory of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1580 wrote to memory of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1580 wrote to memory of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1580 wrote to memory of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1580 wrote to memory of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1580 wrote to memory of 1848	1580	83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe	RegSvcs.exe
PID 1848 wrote to memory of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 1848 wrote to memory of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 1848 wrote to memory of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 1848 wrote to memory of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 1848 wrote to memory of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 1848 wrote to memory of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 1848 wrote to memory of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 1848 wrote to memory of 4924	1848	RegSvcs.exe	RegSvcs.exe
PID 1848 wrote to memory of 4668	1848	RegSvcs.exe	system manager.exe
PID 1848 wrote to memory of 4668	1848	RegSvcs.exe	system manager.exe
PID 1848 wrote to memory of 4668	1848	RegSvcs.exe	system manager.exe
PID 4668 wrote to memory of 1944	4668	system manager.exe	RegSvcs.exe
PID 4668 wrote to memory of 1944	4668	system manager.exe	RegSvcs.exe
PID 4668 wrote to memory of 1944	4668	system manager.exe	RegSvcs.exe
PID 4668 wrote to memory of 1944	4668	system manager.exe	RegSvcs.exe
PID 4668 wrote to memory of 1944	4668	system manager.exe	RegSvcs.exe
PID 4668 wrote to memory of 1944	4668	system manager.exe	RegSvcs.exe
PID 4668 wrote to memory of 1944	4668	system manager.exe	RegSvcs.exe
PID 4668 wrote to memory of 1944	4668	system manager.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe
"C:\Users\Admin\AppData\Local\Temp\83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4924

C:\Windows\SysWOW64\system manager.exe
"C:\Windows\system32\system manager.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 200
5⤵
- Program crash
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1944 -ip 1944
1⤵
PID:5008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
Filesize
142B

MD5
8c0458bb9ea02d50565175e38d577e35

SHA1
f0b50702cd6470f3c17d637908f83212fdbdb2f2

SHA256
c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

SHA512
804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lBLOacw.txt
Filesize
102B

MD5
7782df1f6b43838e055d99b4668d2bfc

SHA1
5a4adcc361c16779064eb1554e214ee380cdc99d

SHA256
bbae3d71bcab18621ee719be9b2d016add16a726067e3948ed9183d8bc9ed41a

SHA512
1085d9b9383cfeeb098a45dcd116f15371cb5aa7cc6915f626b61903eb90323076f7c97cb6f7d6e0748bfc976db7146babbc2b1f00bfa6da923e0fce33e08e04

Download Submit
C:\Windows\SysWOW64\system manager.exe
Filesize
56KB

MD5
b82f453f91e18565385e4a7126506fa2

SHA1
54f76a03a48481f8286a3977cb1302e6dce7e592

SHA256
83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1

SHA512
3f91dcd61061c51da061b8ed680acc7caef964ad61403b3143a4d20caf4546324b150fe26a2f8b6dc83ca4ae02579d2c7ef9a88414f07873409dd87038c87569

Download Submit
C:\Windows\SysWOW64\system manager.exe
Filesize
56KB

MD5
b82f453f91e18565385e4a7126506fa2

SHA1
54f76a03a48481f8286a3977cb1302e6dce7e592

SHA256
83d0c88d59c8e466d87f6f0634b5ee11effb4ab278b09af094fdf634e1ecb7f1

SHA512
3f91dcd61061c51da061b8ed680acc7caef964ad61403b3143a4d20caf4546324b150fe26a2f8b6dc83ca4ae02579d2c7ef9a88414f07873409dd87038c87569

Download Submit
memory/1580-134-0x0000000074BC0000-0x0000000075171000-memory.dmp

Filesize
5.7MB

Download
memory/1848-135-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/1848-130-0x0000000000000000-mapping.dmp

Download
memory/1848-131-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1848-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1848-136-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/1848-137-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/1944-146-0x0000000000000000-mapping.dmp

Download
memory/1944-150-0x0000000000780000-0x0000000000794000-memory.dmp

Filesize
80KB

Download
memory/1944-153-0x0000000000780000-0x0000000000794000-memory.dmp

Filesize
80KB

Download
memory/4668-142-0x0000000000000000-mapping.dmp

Download
memory/4668-151-0x0000000074C60000-0x0000000075211000-memory.dmp

Filesize
5.7MB

Download
memory/4924-141-0x0000000005240000-0x000000000527C000-memory.dmp

Filesize
240KB

Download
memory/4924-139-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4924-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads