revengerat | 015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913

Analysis

max time kernel
151s
max time network
112s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-05-2022 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
Size

1.9MB
MD5

3d8e51c2357616f4869fdebb9a1089fd
SHA1

73389447d55532c9d241b7fbd61e212bcedd64fa
SHA256

015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913
SHA512

f04768f4cfbe154d96a2d14b5737660eeb4925a47d7a9ba03ede69484e10363ae5829c38f4d7dbf47c47bd89f46c8dbb25e3e5904d6462e93a7e746e89038581

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2000-67-0x00000000003B0000-0x00000000003DC000-memory.dmp	revengerat

Executes dropped EXE 3 IoCs

Processes:

njRat Detector by FR34K.exeMicrosoft.Net_Framework_Servcies.exeCustimize Version.exe

pid process

2028 njRat Detector by FR34K.exe
2000 Microsoft.Net_Framework_Servcies.exe
1308 Custimize Version.exe

pid	process
2028	njRat Detector by FR34K.exe
2000	Microsoft.Net_Framework_Servcies.exe
1308	Custimize Version.exe

Loads dropped DLL 3 IoCs

Processes:

015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exeRegSvcs.exe

pid	process
756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
1956	RegSvcs.exe

Drops file in System32 directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Custimize Version.exe	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\Custimize Version.exe	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Microsoft.Net_Framework_Servcies.exeRegSvcs.exeCustimize Version.exeRegSvcs.exe

description	pid	process	target process
PID 2000 set thread context of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 1956 set thread context of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1308 set thread context of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1772 set thread context of 1596	1772	RegSvcs.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Microsoft.Net_Framework_Servcies.exeRegSvcs.exeCustimize Version.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2000	Microsoft.Net_Framework_Servcies.exe
Token: SeDebugPrivilege	1956	RegSvcs.exe
Token: SeDebugPrivilege	1308	Custimize Version.exe
Token: SeDebugPrivilege	1772	RegSvcs.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exeMicrosoft.Net_Framework_Servcies.exeRegSvcs.exeCustimize Version.exeRegSvcs.exe

description	pid	process	target process
PID 756 wrote to memory of 2028	756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	njRat Detector by FR34K.exe
PID 756 wrote to memory of 2028	756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	njRat Detector by FR34K.exe
PID 756 wrote to memory of 2028	756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	njRat Detector by FR34K.exe
PID 756 wrote to memory of 2028	756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	njRat Detector by FR34K.exe
PID 756 wrote to memory of 2000	756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	Microsoft.Net_Framework_Servcies.exe
PID 756 wrote to memory of 2000	756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	Microsoft.Net_Framework_Servcies.exe
PID 756 wrote to memory of 2000	756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	Microsoft.Net_Framework_Servcies.exe
PID 756 wrote to memory of 2000	756	015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe	Microsoft.Net_Framework_Servcies.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 2000 wrote to memory of 1956	2000	Microsoft.Net_Framework_Servcies.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1556	1956	RegSvcs.exe	RegSvcs.exe
PID 1956 wrote to memory of 1308	1956	RegSvcs.exe	Custimize Version.exe
PID 1956 wrote to memory of 1308	1956	RegSvcs.exe	Custimize Version.exe
PID 1956 wrote to memory of 1308	1956	RegSvcs.exe	Custimize Version.exe
PID 1956 wrote to memory of 1308	1956	RegSvcs.exe	Custimize Version.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1308 wrote to memory of 1772	1308	Custimize Version.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe
PID 1772 wrote to memory of 1596	1772	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe
"C:\Users\Admin\AppData\Local\Temp\015e7ab1853880b533bbaeaba38acbba3ba151cdbb9f433b48ccffc9132f0913.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe
"C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe"
2⤵
- Executes dropped EXE
PID:2028

C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1556

C:\Windows\SysWOW64\Custimize Version.exe
"C:\Windows\system32\Custimize Version.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
6⤵
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe
Filesize
603KB

MD5
f6b4e39148918a63d1e19e9d18ee8e4c

SHA1
e23a5409e1d5293044f65443f9291491dc18d2f9

SHA256
0f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67

SHA512
dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe
Filesize
603KB

MD5
f6b4e39148918a63d1e19e9d18ee8e4c

SHA1
e23a5409e1d5293044f65443f9291491dc18d2f9

SHA256
0f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67

SHA512
dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\bClgZblRv.txt
Filesize
41B

MD5
177cfbcc4a41dc65fa7b5e4399bb2b0f

SHA1
ed216f67a50f851a0cb4351ef14084f385388f88

SHA256
07644cb006cc4fcfa0339ec6903c8f160b9f7489121511238b5aec03ea98ad55

SHA512
517dcec31a7806a106d853ac4c9e6fb8355f9e280082857b3c1f128d6e61a0e2ad73dc769e49a985d66a7d97f1ce38b81ce6e8b25b47ef9637d7ff1a1ec3d974

Download Submit
C:\Users\Admin\AppData\Local\Temp\bClgZblRv.txt
Filesize
70B

MD5
ace36b6cf6dcc347541bac64d904ce97

SHA1
31c97f07799654e5849ae08405e215538b1ab4ba

SHA256
0e2d31ea39cf5519b1db121f56a9f083881323e697f851b7d3cc59eecd74b5d0

SHA512
58ac72166300701b0f579d0004dfb380859f981f935e4af598701407ffd08618d4e6d634e8de9845f52b5a6c395d34571cdf309632091c891cb4a30dd043f45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe
Filesize
799KB

MD5
3b4c48b0ca7023f3a46c845164bcfeca

SHA1
42a90b07574466fa9c5780ed24afeccb56605cfb

SHA256
1192af051444ed0b257a36d774337c6be6d2ac415642f22416ea8df5945d80e2

SHA512
8a35804fa9b91ed4c0f63915d6da6d8f22bb005e7fb824f75dae8999b55722b9d061350620f31d9a5921caed7d1196bd3c1bf6077ca4f7605aadf943ba2c7bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe
Filesize
799KB

MD5
3b4c48b0ca7023f3a46c845164bcfeca

SHA1
42a90b07574466fa9c5780ed24afeccb56605cfb

SHA256
1192af051444ed0b257a36d774337c6be6d2ac415642f22416ea8df5945d80e2

SHA512
8a35804fa9b91ed4c0f63915d6da6d8f22bb005e7fb824f75dae8999b55722b9d061350620f31d9a5921caed7d1196bd3c1bf6077ca4f7605aadf943ba2c7bef

Download Submit
C:\Windows\SysWOW64\Custimize Version.exe
Filesize
603KB

MD5
f6b4e39148918a63d1e19e9d18ee8e4c

SHA1
e23a5409e1d5293044f65443f9291491dc18d2f9

SHA256
0f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67

SHA512
dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44

Download Submit
C:\Windows\SysWOW64\Custimize Version.exe
Filesize
603KB

MD5
f6b4e39148918a63d1e19e9d18ee8e4c

SHA1
e23a5409e1d5293044f65443f9291491dc18d2f9

SHA256
0f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67

SHA512
dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft.Net_Framework_Servcies.exe
Filesize
603KB

MD5
f6b4e39148918a63d1e19e9d18ee8e4c

SHA1
e23a5409e1d5293044f65443f9291491dc18d2f9

SHA256
0f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67

SHA512
dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44

Download Submit
\Users\Admin\AppData\Local\Temp\njRat Detector by FR34K.exe
Filesize
799KB

MD5
3b4c48b0ca7023f3a46c845164bcfeca

SHA1
42a90b07574466fa9c5780ed24afeccb56605cfb

SHA256
1192af051444ed0b257a36d774337c6be6d2ac415642f22416ea8df5945d80e2

SHA512
8a35804fa9b91ed4c0f63915d6da6d8f22bb005e7fb824f75dae8999b55722b9d061350620f31d9a5921caed7d1196bd3c1bf6077ca4f7605aadf943ba2c7bef

Download Submit
\Windows\SysWOW64\Custimize Version.exe
Filesize
603KB

MD5
f6b4e39148918a63d1e19e9d18ee8e4c

SHA1
e23a5409e1d5293044f65443f9291491dc18d2f9

SHA256
0f267418e475fd586fedda62df850e15cdbcda477a41c62ac3403e4364d4ea67

SHA512
dbf35fc8444ecb406501345d620b94f56aa60adeffe47bb564da1c29206b647fbdb0d39771351274ab51831da1bc0381bc25cf18f62210a68839f8ca9dc20c44

Download Submit
memory/756-55-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/756-54-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download
memory/1308-104-0x0000000000000000-mapping.dmp

Download
memory/1308-107-0x0000000000A40000-0x0000000000ADC000-memory.dmp

Filesize
624KB

Download
memory/1556-102-0x0000000000490000-0x00000000004B0000-memory.dmp

Filesize
128KB

Download
memory/1556-101-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1556-98-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1556-93-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1556-94-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1556-91-0x0000000000408356-mapping.dmp

Download
memory/1556-88-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1556-89-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1556-86-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1556-85-0x0000000000090000-0x000000000009E000-memory.dmp

Filesize
56KB

Download
memory/1596-128-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1596-125-0x0000000000408356-mapping.dmp

Download
memory/1596-131-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/1596-130-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1772-116-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1772-114-0x0000000000497FA2-mapping.dmp

Download
memory/1772-118-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1956-75-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/1956-69-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/1956-68-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/1956-71-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/1956-74-0x0000000000497FA2-mapping.dmp

Download
memory/1956-72-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/1956-83-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/1956-76-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/1956-80-0x0000000000090000-0x000000000012C000-memory.dmp

Filesize
624KB

Download
memory/2000-65-0x0000000000C60000-0x0000000000CFC000-memory.dmp

Filesize
624KB

Download
memory/2000-67-0x00000000003B0000-0x00000000003DC000-memory.dmp

Filesize
176KB

Download
memory/2000-61-0x0000000000000000-mapping.dmp

Download
memory/2028-84-0x0000000004865000-0x0000000004876000-memory.dmp

Filesize
68KB

Download
memory/2028-64-0x0000000000D80000-0x0000000000E4E000-memory.dmp

Filesize
824KB

Download
memory/2028-57-0x0000000000000000-mapping.dmp

Download