revengerat | dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5

General

Target

dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
Size

737KB
MD5

78ea7223cc7cf6230315aae0b3d5fc1e
SHA1

1074683782e95e7042bbcdfa8876a855b36c92e1
SHA256

dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5
SHA512

a56b11c2d79111ddecec240d3a2c53883fe7d3d147791f6979750c12f94d74e7e2785ea5ee17b87a997e903da22527f24529a02e744337703e9ca2ad314be4d0

Score

10^/10

revengerat jc0der-firebyt3 evasion stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

JC0der-FireByt3

C2

nasadigitalgov.sytes.net:9222

Mutex

RV_MUTEX-FZMONFueOciq

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

RevengeRat Executable 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/916-58-0x00000000009E0000-0x00000000009EC000-memory.dmp	revengerat
behavioral1/memory/1112-62-0x0000000000400000-0x000000000040C000-memory.dmp	revengerat
behavioral1/memory/1112-63-0x0000000000400000-0x000000000040C000-memory.dmp	revengerat
behavioral1/memory/1112-64-0x0000000000400000-0x000000000040C000-memory.dmp	revengerat
behavioral1/memory/1112-65-0x000000000040666E-mapping.dmp	revengerat
behavioral1/memory/1112-67-0x0000000000400000-0x000000000040C000-memory.dmp	revengerat
behavioral1/memory/1112-69-0x0000000000400000-0x000000000040C000-memory.dmp	revengerat

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe

description	pid	process	target process
PID 916 set thread context of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe

pid	process
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
Token: SeDebugPrivilege	1112	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe

description	pid	process	target process
PID 916 wrote to memory of 1940	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1940	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1940	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1940	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1940	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1940	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1940	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1008	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1008	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1008	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1008	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1008	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1008	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1008	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe
PID 916 wrote to memory of 1112	916	dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe
"C:\Users\Admin\AppData\Local\Temp\dbf10315d6df7a360414da861c456fd9c07b53160525fde4cd5f51340d2da3d5.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-54-0x0000000001030000-0x00000000010F0000-memory.dmp

Filesize
768KB

Download
memory/916-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/916-56-0x0000000000590000-0x00000000005CE000-memory.dmp

Filesize
248KB

Download
memory/916-57-0x0000000000960000-0x0000000000988000-memory.dmp

Filesize
160KB

Download
memory/916-58-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/1112-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1112-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1112-62-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1112-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1112-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1112-65-0x000000000040666E-mapping.dmp

Download
memory/1112-67-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1112-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads