revengerat | e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe
Size

56KB
MD5

82c482f8af3d699aeb51034dc506cd1c
SHA1

1c65ce6be62627ee36db9c1b1d912297e6f99abe
SHA256

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3
SHA512

6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\svnosht.exe	revengerat
\Users\Admin\AppData\Roaming\svnosht.exe	revengerat
C:\Users\Admin\AppData\Roaming\svnosht.exe	revengerat
C:\Users\Admin\AppData\Roaming\svnosht.exe	revengerat
\Users\Admin\AppData\Roaming\svnosht.exe	revengerat
C:\Users\Admin\AppData\Roaming\svnosht.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

svnosht.exesvnosht.exe

pid process

1192 svnosht.exe
1204 svnosht.exe

pid	process
1192	svnosht.exe
1204	svnosht.exe

Drops startup file 8 IoCs

Processes:

vbc.exesvnosht.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	svnosht.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.vbs	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.js	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.lnk	svnosht.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.URL	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	vbc.exe

Loads dropped DLL 3 IoCs

Processes:

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exesvnosht.exe

pid	process
1092	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe
1092	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe
1192	svnosht.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svnosht.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\svnosht.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svnosht.exe"	svnosht.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1852 schtasks.exe

pid	process
1852	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exesvnosht.exesvnosht.exe

description	pid	process
Token: SeDebugPrivilege	1092	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe
Token: SeDebugPrivilege	1192	svnosht.exe
Token: SeDebugPrivilege	1204	svnosht.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exesvnosht.exevbc.exetaskeng.exe

description	pid	process	target process
PID 1092 wrote to memory of 1192	1092	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe	svnosht.exe
PID 1092 wrote to memory of 1192	1092	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe	svnosht.exe
PID 1092 wrote to memory of 1192	1092	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe	svnosht.exe
PID 1092 wrote to memory of 1192	1092	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe	svnosht.exe
PID 1192 wrote to memory of 764	1192	svnosht.exe	vbc.exe
PID 1192 wrote to memory of 764	1192	svnosht.exe	vbc.exe
PID 1192 wrote to memory of 764	1192	svnosht.exe	vbc.exe
PID 1192 wrote to memory of 764	1192	svnosht.exe	vbc.exe
PID 764 wrote to memory of 1512	764	vbc.exe	cvtres.exe
PID 764 wrote to memory of 1512	764	vbc.exe	cvtres.exe
PID 764 wrote to memory of 1512	764	vbc.exe	cvtres.exe
PID 764 wrote to memory of 1512	764	vbc.exe	cvtres.exe
PID 1192 wrote to memory of 1852	1192	svnosht.exe	schtasks.exe
PID 1192 wrote to memory of 1852	1192	svnosht.exe	schtasks.exe
PID 1192 wrote to memory of 1852	1192	svnosht.exe	schtasks.exe
PID 1192 wrote to memory of 1852	1192	svnosht.exe	schtasks.exe
PID 1820 wrote to memory of 1204	1820	taskeng.exe	svnosht.exe
PID 1820 wrote to memory of 1204	1820	taskeng.exe	svnosht.exe
PID 1820 wrote to memory of 1204	1820	taskeng.exe	svnosht.exe
PID 1820 wrote to memory of 1204	1820	taskeng.exe	svnosht.exe

C:\Users\Admin\AppData\Local\Temp\e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe
"C:\Users\Admin\AppData\Local\Temp\e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Roaming\svnosht.exe
"C:\Users\Admin\AppData\Roaming\svnosht.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a7_ogjgw.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF67.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF66.tmp"
4⤵
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "svnosht.exe" /tr "C:\Users\Admin\AppData\Roaming\svnosht.exe"
3⤵
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\taskeng.exe
taskeng.exe {C45082E9-DC7E-4E96-9C69-D3963F6356B3} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Roaming\svnosht.exe
C:\Users\Admin\AppData\Roaming\svnosht.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESFF67.tmp
Filesize
1KB

MD5
bbfb3747e5b70ef312bb2a07bbf13135

SHA1
2b190752477a7404766e736dc447de9d6e71b0fa

SHA256
7b955d94aa05c377f78213feadad4470f49a49f626edc9760ac659ded4b53dd5

SHA512
680c67888111925ca3c284077a54766b82f6c8acb41e23b57e266f48bc58bc48bcf7a04a87ceb32a5f01b4b660855653b4b528a2930e8f5049b20fd14371fc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7_ogjgw.0.vb
Filesize
151B

MD5
dbc11087af9a5a5bc73f3eec9e1a88bd

SHA1
d3a7da895f39e5377aafb2e3a25da4c482f99b67

SHA256
058e29b22e8495d1fcdb2ef994b9f6bf276066f5ab89d1d2d658d8945d55254b

SHA512
80a37a1b0dae14a673e82f869f170541f301a6c1d0c81842cc0ab5529bc68eb56c46e328a4d659e7d5b8ab9e105fa604b7b03c8f96c1412d39eabfe61939e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7_ogjgw.cmdline
Filesize
198B

MD5
673eb405859602a16c626d7217cc9ed7

SHA1
6f6ee1fef0c82fbb6fadbf880b5bf0f49acc58a1

SHA256
0486fd9520f7ba6b92e68b6bb81eb05b4b9e9a0f001d98aac0a4575e75871c32

SHA512
b68ea221b63221fd25d944fd6c60872ba54262e8a0c797ccd8bf5f3d4de9b0661276e2a37df4c476638f8f8bc69937e3374fbc3791784a8c929a44b8fdc40ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF66.tmp
Filesize
676B

MD5
6c51e75b6e74d5d4c93ad5da8b15790e

SHA1
0f2f268d354c03fb11ac6b5548650de793583535

SHA256
a646a41cad107940e782bd4ccc785772521bd03851e65684defcc70bcab85995

SHA512
b9451ce5d60f4ce3b898cc9f5696d4a2146de5805f4fa36f055eb6a3d2176ec7818c8736712e51f64a4b02af0584ceac5c3f3bcb84918b01e4df0244ff42cbda

Download Submit
C:\Users\Admin\AppData\Roaming\svnosht.exe
Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
C:\Users\Admin\AppData\Roaming\svnosht.exe
Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
C:\Users\Admin\AppData\Roaming\svnosht.exe
Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
\Users\Admin\AppData\Roaming\svnosht.exe
Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
\Users\Admin\AppData\Roaming\svnosht.exe
Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
\Users\Admin\AppData\Roaming\svnosht.exe
Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
memory/764-64-0x0000000000000000-mapping.dmp

Download
memory/1092-54-0x00000000752A1000-0x00000000752A3000-memory.dmp

Filesize
8KB

Download
memory/1092-55-0x00000000744E0000-0x0000000074A8B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-62-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1192-58-0x0000000000000000-mapping.dmp

Download
memory/1204-71-0x0000000000000000-mapping.dmp

Download
memory/1204-74-0x00000000744D0000-0x0000000074A7B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-67-0x0000000000000000-mapping.dmp

Download
memory/1852-70-0x0000000000000000-mapping.dmp

Download