revengerat | fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e

General

Target

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Size

17KB
MD5

4a1e9090a6a6bc9dda8706d35e5ef027
SHA1

8f8a66cb388f0ed59c46c3bc23c95c6724b8c2be
SHA256

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e
SHA512

961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:17455

Mutex

RV_MUTEX-iYAoBLOacwYd

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Client.exe	revengerat
C:\Users\Admin\Documents\Client.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1232 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1232	Client.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1536 powershell.exe

pid	process
1536	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1980	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Token: SeDebugPrivilege	1232	Client.exe
Token: SeDebugPrivilege	1536	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exe

description	pid	process	target process
PID 1980 wrote to memory of 1232	1980	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe	Client.exe
PID 1980 wrote to memory of 1232	1980	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe	Client.exe
PID 1980 wrote to memory of 1232	1980	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe	Client.exe
PID 1232 wrote to memory of 1536	1232	Client.exe	powershell.exe
PID 1232 wrote to memory of 1536	1232	Client.exe	powershell.exe
PID 1232 wrote to memory of 1536	1232	Client.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
"C:\Users\Admin\AppData\Local\Temp\fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe"
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\Documents\Client.exe
"C:\Users\Admin\Documents\Client.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('congradulations you got fuckin hacked','HAHA')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Client.exe
Filesize
17KB

MD5
4a1e9090a6a6bc9dda8706d35e5ef027

SHA1
8f8a66cb388f0ed59c46c3bc23c95c6724b8c2be

SHA256
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e

SHA512
961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a

Download Submit
C:\Users\Admin\Documents\Client.exe
Filesize
17KB

MD5
4a1e9090a6a6bc9dda8706d35e5ef027

SHA1
8f8a66cb388f0ed59c46c3bc23c95c6724b8c2be

SHA256
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e

SHA512
961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a

Download Submit
memory/1232-60-0x000007FEF3540000-0x000007FEF3F63000-memory.dmp

Filesize
10.1MB

Download
memory/1232-57-0x0000000000000000-mapping.dmp

Download
memory/1232-61-0x000007FEEEB50000-0x000007FEEFBE6000-memory.dmp

Filesize
16.6MB

Download
memory/1536-62-0x0000000000000000-mapping.dmp

Download
memory/1536-64-0x000007FEF3540000-0x000007FEF3F63000-memory.dmp

Filesize
10.1MB

Download
memory/1536-66-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/1536-65-0x000007FEEDFF0000-0x000007FEEEB4D000-memory.dmp

Filesize
11.4MB

Download
memory/1536-67-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1536-68-0x000007FEEEB50000-0x000007FEEFBE6000-memory.dmp

Filesize
16.6MB

Download
memory/1536-69-0x000000000240B000-0x000000000242A000-memory.dmp

Filesize
124KB

Download
memory/1980-56-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1980-55-0x000007FEF2ED0000-0x000007FEF3F66000-memory.dmp

Filesize
16.6MB

Download
memory/1980-54-0x000007FEF3F70000-0x000007FEF4993000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads