revengerat | e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

General

Target

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe
Size

56KB
MD5

82c482f8af3d699aeb51034dc506cd1c
SHA1

1c65ce6be62627ee36db9c1b1d912297e6f99abe
SHA256

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3
SHA512

6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 3 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svnosht.exe	revengerat
C:\Users\Admin\AppData\Roaming\svnosht.exe	revengerat
C:\Users\Admin\AppData\Roaming\svnosht.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

svnosht.exesvnosht.exe

pid process

3096 svnosht.exe
2020 svnosht.exe

pid	process
3096	svnosht.exe
2020	svnosht.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe

Drops startup file 8 IoCs

Processes:

svnosht.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.js	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.lnk	svnosht.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.URL	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	svnosht.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper	svnosht.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.vbs	svnosht.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svnosht.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svnosht.exe = "C:\\Users\\Admin\\AppData\\Roaming\\svnosht.exe"	svnosht.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4144 schtasks.exe

pid	process
4144	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exesvnosht.exesvnosht.exe

description	pid	process
Token: SeDebugPrivilege	4344	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe
Token: SeDebugPrivilege	3096	svnosht.exe
Token: SeDebugPrivilege	2020	svnosht.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exesvnosht.exevbc.exe

description	pid	process	target process
PID 4344 wrote to memory of 3096	4344	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe	svnosht.exe
PID 4344 wrote to memory of 3096	4344	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe	svnosht.exe
PID 4344 wrote to memory of 3096	4344	e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe	svnosht.exe
PID 3096 wrote to memory of 3344	3096	svnosht.exe	vbc.exe
PID 3096 wrote to memory of 3344	3096	svnosht.exe	vbc.exe
PID 3096 wrote to memory of 3344	3096	svnosht.exe	vbc.exe
PID 3344 wrote to memory of 3176	3344	vbc.exe	cvtres.exe
PID 3344 wrote to memory of 3176	3344	vbc.exe	cvtres.exe
PID 3344 wrote to memory of 3176	3344	vbc.exe	cvtres.exe
PID 3096 wrote to memory of 4144	3096	svnosht.exe	schtasks.exe
PID 3096 wrote to memory of 4144	3096	svnosht.exe	schtasks.exe
PID 3096 wrote to memory of 4144	3096	svnosht.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe
"C:\Users\Admin\AppData\Local\Temp\e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Roaming\svnosht.exe
"C:\Users\Admin\AppData\Roaming\svnosht.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\csxgzvwk.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES735B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF67C8019893C47C89D1E4E4267777C4.TMP"
4⤵
PID:3176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "svnosht.exe" /tr "C:\Users\Admin\AppData\Roaming\svnosht.exe"
3⤵
- Creates scheduled task(s)
PID:4144

C:\Users\Admin\AppData\Roaming\svnosht.exe
C:\Users\Admin\AppData\Roaming\svnosht.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES735B.tmp

Filesize
1KB

MD5
8d3dc8a6c16f09888a2444ec80a39be4

SHA1
d064cf8b92e97938ddf4edb8f2fe4afec650b4a6

SHA256
e61dc2a87dbdaf8bc92786d1242fcf5d963cb7794ca936b080871567b49556a2

SHA512
b8f6d088bdef4bfcfd45ea12242a064fbe03c7210501fafb28edaeeb084ec58977dd2d83992955c5f2a40603c4d4b62e5faf92267f39406f7377ad4ced59caec

Download Submit
C:\Users\Admin\AppData\Local\Temp\csxgzvwk.0.vb

Filesize
151B

MD5
dbc11087af9a5a5bc73f3eec9e1a88bd

SHA1
d3a7da895f39e5377aafb2e3a25da4c482f99b67

SHA256
058e29b22e8495d1fcdb2ef994b9f6bf276066f5ab89d1d2d658d8945d55254b

SHA512
80a37a1b0dae14a673e82f869f170541f301a6c1d0c81842cc0ab5529bc68eb56c46e328a4d659e7d5b8ab9e105fa604b7b03c8f96c1412d39eabfe61939e599

Download Submit
C:\Users\Admin\AppData\Local\Temp\csxgzvwk.cmdline

Filesize
198B

MD5
a964a9b88e661804827781b596057cc3

SHA1
77019ce9816c0ca0823ed105c81d29ac316c80f8

SHA256
98f915216aa481615bb8a5402320ce8c25271349a475af78cca97e9b68580e36

SHA512
07463337c736b278cbeb2768615829de571eb107a0cc238b6f41c911521b7b32ae1c0a64787faa3b8c3d500052ec24780b0f1e0935b1b3b7154c4e767c132c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF67C8019893C47C89D1E4E4267777C4.TMP

Filesize
676B

MD5
6c51e75b6e74d5d4c93ad5da8b15790e

SHA1
0f2f268d354c03fb11ac6b5548650de793583535

SHA256
a646a41cad107940e782bd4ccc785772521bd03851e65684defcc70bcab85995

SHA512
b9451ce5d60f4ce3b898cc9f5696d4a2146de5805f4fa36f055eb6a3d2176ec7818c8736712e51f64a4b02af0584ceac5c3f3bcb84918b01e4df0244ff42cbda

Download Submit
C:\Users\Admin\AppData\Roaming\svnosht.exe

Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
C:\Users\Admin\AppData\Roaming\svnosht.exe

Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
C:\Users\Admin\AppData\Roaming\svnosht.exe

Filesize
56KB

MD5
82c482f8af3d699aeb51034dc506cd1c

SHA1
1c65ce6be62627ee36db9c1b1d912297e6f99abe

SHA256
e8da9985457f46542b7f8c9c2e48f252f6f0d998223271a1bf073754fda2e8e3

SHA512
6f55468830a5fa9fdf30d12300e3fe71ce9ff48f3ebc1d261d2ef50579b0b1aef4b3aff3cf7b337cf92b9b18bc1fe0de9cc9166fa40f5136dfb7151e0fe62899

Download Submit
memory/2020-143-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3096-134-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download
memory/3096-131-0x0000000000000000-mapping.dmp

Download
memory/3176-138-0x0000000000000000-mapping.dmp

Download
memory/3344-135-0x0000000000000000-mapping.dmp

Download
memory/4144-141-0x0000000000000000-mapping.dmp

Download
memory/4344-130-0x00000000752D0000-0x0000000075881000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads