revengerat | c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2

General

Target

c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe
Size

17KB
MD5

df66356151d4671e06f88a44b4c28dd3
SHA1

015f855ae32785eb9ea8ad1ecf252e3b6efaf88a
SHA256

c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2
SHA512

bde5b8f19acca1dbec8516bfc9391173edad64315a8277c454e296807a2fae7cafdc644707e082c5f984e546893f6220651895665b4f0489aeb565457e0e4a83

Score

10^/10

revengerat m939 stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

M939

C2

landbo.ddns.net:2772

Mutex

RV_MUTEX-JRMSltdcKeYu

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\hlak.exe	revengerat
C:\Users\Admin\AppData\Roaming\hlak.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

hlak.exe

pid process

1968 hlak.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1208 schtasks.exe

pid	process
1968	hlak.exe

pid	process
1208	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exehlak.exe

description	pid	process
Token: SeDebugPrivilege	1664	c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe
Token: SeDebugPrivilege	1968	hlak.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exehlak.exe

description	pid	process	target process
PID 1664 wrote to memory of 1968	1664	c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe	hlak.exe
PID 1664 wrote to memory of 1968	1664	c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe	hlak.exe
PID 1664 wrote to memory of 1968	1664	c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe	hlak.exe
PID 1968 wrote to memory of 1208	1968	hlak.exe	schtasks.exe
PID 1968 wrote to memory of 1208	1968	hlak.exe	schtasks.exe
PID 1968 wrote to memory of 1208	1968	hlak.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe
"C:\Users\Admin\AppData\Local\Temp\c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Roaming\hlak.exe
"C:\Users\Admin\AppData\Roaming\hlak.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 5 /tn "hort" /tr "C:\Users\Admin\AppData\Roaming\hlak.exe"
3⤵
- Creates scheduled task(s)
PID:1208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hlak.exe

Filesize
17KB

MD5
df66356151d4671e06f88a44b4c28dd3

SHA1
015f855ae32785eb9ea8ad1ecf252e3b6efaf88a

SHA256
c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2

SHA512
bde5b8f19acca1dbec8516bfc9391173edad64315a8277c454e296807a2fae7cafdc644707e082c5f984e546893f6220651895665b4f0489aeb565457e0e4a83

Download Submit
C:\Users\Admin\AppData\Roaming\hlak.exe

Filesize
17KB

MD5
df66356151d4671e06f88a44b4c28dd3

SHA1
015f855ae32785eb9ea8ad1ecf252e3b6efaf88a

SHA256
c99d475a1d153a4e46829fa4c1cfebeb7ac73c3a5723d873fb5ff80ad32903b2

SHA512
bde5b8f19acca1dbec8516bfc9391173edad64315a8277c454e296807a2fae7cafdc644707e082c5f984e546893f6220651895665b4f0489aeb565457e0e4a83

Download Submit
memory/1208-60-0x0000000000000000-mapping.dmp

Download
memory/1664-54-0x000007FEF37B0000-0x000007FEF4846000-memory.dmp

Filesize
16.6MB

Download
memory/1664-55-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1968-59-0x000007FEF3300000-0x000007FEF4396000-memory.dmp

Filesize
16.6MB

Download
memory/1968-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads