revengerat | 196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c

General

Target

196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
Size

7.2MB
MD5

3955a6d8e167f30a9254d4754425da8d
SHA1

0bfee09bc4d80744a28c32670d8c2c09e696e0ef
SHA256

196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c
SHA512

3b7a838e7207b4eaf770d55ad7f929839f4197d15b2a51787da52eafe63151ee117a8f995c58350f94596e8d2e1a1a2093cc1415835f1c09b51caad1b7faa484

Score

10^/10

revengerat guest persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

rattedlmao.ddns.net:1337

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1636 svchost.exe

pid	process
1636	svchost.exe

Drops startup file 7 IoCs

Processes:

svchost.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.URL	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.js	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nigga = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1660 schtasks.exe

pid	process
1660	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1688	196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
Token: SeDebugPrivilege	1636	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exesvchost.exevbc.exe

description	pid	process	target process
PID 1688 wrote to memory of 1636	1688	196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe	svchost.exe
PID 1688 wrote to memory of 1636	1688	196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe	svchost.exe
PID 1688 wrote to memory of 1636	1688	196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe	svchost.exe
PID 1636 wrote to memory of 1300	1636	svchost.exe	vbc.exe
PID 1636 wrote to memory of 1300	1636	svchost.exe	vbc.exe
PID 1636 wrote to memory of 1300	1636	svchost.exe	vbc.exe
PID 1300 wrote to memory of 1680	1300	vbc.exe	cvtres.exe
PID 1300 wrote to memory of 1680	1300	vbc.exe	cvtres.exe
PID 1300 wrote to memory of 1680	1300	vbc.exe	cvtres.exe
PID 1636 wrote to memory of 1660	1636	svchost.exe	schtasks.exe
PID 1636 wrote to memory of 1660	1636	svchost.exe	schtasks.exe
PID 1636 wrote to memory of 1660	1636	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe
"C:\Users\Admin\AppData\Local\Temp\196daae5b03840f378df5af46824ff7bd77fdee3eea83d342ee952a1bd25548c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ndz78q3o.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7947.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7936.tmp"
4⤵
PID:1680

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Cozmics" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\taskeng.exe
taskeng.exe {F9A92814-BB8B-49A9-BCF5-8932A280C06D} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7947.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndz78q3o.0.vb
Filesize
180B

MD5
b8fa89af650dbff72d2e0538daea9d76

SHA1
36201ecf6ab056d059c07a2cf01b3771c08c956e

SHA256
59909c12b1a7d2d7269cb565a12ae3621ac7d1d7aea6c08d471bafa235b78959

SHA512
8f3879c6fe947b7285b7252fc88416d25e81c004338908ad4464de9fc119e30e625f7ffcaf96fc96e408488ccf0251526b947c60a6f17deaaa75eca7c84c5678

Download Submit
C:\Users\Admin\AppData\Local\Temp\ndz78q3o.cmdline
Filesize
195B

MD5
2f5ce560a77436efdb06f2fce9611ee7

SHA1
fc20f9a6e9366604689f1722d88eabcee9b54d05

SHA256
3746e04a63c2faca87f343621babbe576d9611cc8fa005368383218487a54f6c

SHA512
0e8eb5c472b95ca82e8567f0d2c0431ebd23766b6743774e419d7fad3f18413b06af17b3af5ca8f21c997ea08f3808188f4badb8e39372ca43f419ca4bb79017

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7936.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
Filesize
3.4MB

MD5
2cc295938bd451dd6307e4881c8c9a5b

SHA1
b0f605fba15ddd8e2f8c4058bd7e346cf85df75f

SHA256
d75f9ee76cf68e915afd9b9285d3693f4df756102a46994149c307f9833fa359

SHA512
1fc3ecc8c0c7c8803e2663f79afd7c4aaa5feab26b3a483ff456b3e31dd0a5ad2512e518594b4ac483220719edf138b8dc3a4192b04e636aa98d8ec6bc7c26c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost.exe
Filesize
4.9MB

MD5
591e0a58f891a5adc426c5db28a1ab69

SHA1
b79f43fd6f4cbd48663a127650f48da0ac14c801

SHA256
6385f1a2603ffb71351aa870120bf62975cf573f1e7b9e89deee6c2d8ede6808

SHA512
e5d8b82ebe1bc9c74481e02b1811aa56a3d7a5802ba6dcde90ebe281b2746bd54cece4558776cb5a9351b1956109c9f73575dcae64d81f2aa65b1b5f95b0f406

Download Submit
memory/1300-61-0x0000000000000000-mapping.dmp

Download
memory/1636-59-0x000007FEF2830000-0x000007FEF38C6000-memory.dmp

Filesize
16.6MB

Download
memory/1636-56-0x0000000000000000-mapping.dmp

Download
memory/1660-68-0x0000000000000000-mapping.dmp

Download
memory/1680-65-0x0000000000000000-mapping.dmp

Download
memory/1688-54-0x000007FEF2AA0000-0x000007FEF3B36000-memory.dmp

Filesize
16.6MB

Download
memory/1688-55-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads