revengerat | fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e

General

Target

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Size

17KB
MD5

4a1e9090a6a6bc9dda8706d35e5ef027
SHA1

8f8a66cb388f0ed59c46c3bc23c95c6724b8c2be
SHA256

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e
SHA512

961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:17455

Mutex

RV_MUTEX-iYAoBLOacwYd

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Client.exe	revengerat
C:\Users\Admin\Documents\Client.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

4760 Client.exe

pid	process
4760	Client.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1736 powershell.exe
1736 powershell.exe

pid	process
1736	powershell.exe
1736	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2496	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
Token: SeDebugPrivilege	4760	Client.exe
Token: SeDebugPrivilege	1736	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exeClient.exe

description	pid	process	target process
PID 2496 wrote to memory of 4760	2496	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe	Client.exe
PID 2496 wrote to memory of 4760	2496	fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe	Client.exe
PID 4760 wrote to memory of 1736	4760	Client.exe	powershell.exe
PID 4760 wrote to memory of 1736	4760	Client.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe
"C:\Users\Admin\AppData\Local\Temp\fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\Documents\Client.exe
"C:\Users\Admin\Documents\Client.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('congradulations you got fuckin hacked','HAHA')
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\Client.exe
Filesize
17KB

MD5
4a1e9090a6a6bc9dda8706d35e5ef027

SHA1
8f8a66cb388f0ed59c46c3bc23c95c6724b8c2be

SHA256
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e

SHA512
961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a

Download Submit
C:\Users\Admin\Documents\Client.exe
Filesize
17KB

MD5
4a1e9090a6a6bc9dda8706d35e5ef027

SHA1
8f8a66cb388f0ed59c46c3bc23c95c6724b8c2be

SHA256
fd9f4bc99e7a969551c859d3da5dfd6c4151a20c9663619a4b14be7958c34e0e

SHA512
961e334b79d36a781f732f6e4116d84b99d7fb2063e94bd901d42a092d664141e59ff4d7cade49d848ee16cd5be8bba3e849c9a12b8c24469e5a7aa264cfd33a

Download Submit
memory/1736-135-0x0000000000000000-mapping.dmp

Download
memory/1736-136-0x000002CEA6710000-0x000002CEA6732000-memory.dmp

Filesize
136KB

Download
memory/1736-137-0x000002CE8CD30000-0x000002CE8D7F1000-memory.dmp

Filesize
10.8MB

Download
memory/2496-130-0x00007FFD44AB0000-0x00007FFD454E6000-memory.dmp

Filesize
10.2MB

Download
memory/4760-131-0x0000000000000000-mapping.dmp

Download
memory/4760-134-0x00007FFD44AB0000-0x00007FFD454E6000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads