revengerat | 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee

General

Target

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe
Size

73KB
MD5

c614070ca1587a1512a857dd520e22ca
SHA1

ba8f33ced64886e0d8f02ecef1da17f653e8438c
SHA256

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee
SHA512

865aa8428b784119d48ea5969968d5f8b872e22b8b3aab2db7f907324d02290188f0e3d3654650178e013a528f8f5f9265f563b0056b0c365114757869601ead

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 9 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe	revengerat
\Users\Admin\AppData\Local\Temp\Eeuxi.exe	revengerat
behavioral1/memory/1988-72-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1988-70-0x000000000041049E-mapping.dmp	revengerat
behavioral1/memory/1988-69-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1988-68-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1988-67-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral1/memory/1988-66-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

Eeuxi.exe

pid process

1700 Eeuxi.exe
Loads dropped DLL 1 IoCs

Processes:

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe

pid process

760 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe

pid	process
1700	Eeuxi.exe

pid	process
760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Eeuxi.exeRegAsm.exe

description	pid	process	target process
PID 1700 set thread context of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1988 set thread context of 1164	1988	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2040 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Eeuxi.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1700 Eeuxi.exe
Token: SeDebugPrivilege 1988 RegAsm.exe

pid	process
2040	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	1700	Eeuxi.exe
Token: SeDebugPrivilege	1988	RegAsm.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exeEeuxi.exeRegAsm.exe

description	pid	process	target process
PID 760 wrote to memory of 1700	760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	Eeuxi.exe
PID 760 wrote to memory of 1700	760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	Eeuxi.exe
PID 760 wrote to memory of 1700	760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	Eeuxi.exe
PID 760 wrote to memory of 1700	760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	Eeuxi.exe
PID 760 wrote to memory of 2040	760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	NOTEPAD.EXE
PID 760 wrote to memory of 2040	760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	NOTEPAD.EXE
PID 760 wrote to memory of 2040	760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	NOTEPAD.EXE
PID 760 wrote to memory of 2040	760	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	NOTEPAD.EXE
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1700 wrote to memory of 1988	1700	Eeuxi.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe
PID 1988 wrote to memory of 1164	1988	RegAsm.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe
"C:\Users\Admin\AppData\Local\Temp\86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Rkcrkt.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2040

C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe
"C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1164

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost32
4⤵
PID:1940

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost32"
5⤵
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe
Filesize
62KB

MD5
d688b3d533d9c52e3c0c1d3bfa5776d4

SHA1
93a192a0f6eee57cec912737fedca5c3ff3e4cf5

SHA256
582c68421be1066bfbe96b80acbe651ad6981f498b34a031bac13be52cb61396

SHA512
66747bcb9629421730fd7909e8cf385741d335565fda2796bc6803353d91a4abdc8658d3dd11e12433c83ed8aa099e3b4232d4b0a10408dc45eaf01b0bb604cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe
Filesize
62KB

MD5
d688b3d533d9c52e3c0c1d3bfa5776d4

SHA1
93a192a0f6eee57cec912737fedca5c3ff3e4cf5

SHA256
582c68421be1066bfbe96b80acbe651ad6981f498b34a031bac13be52cb61396

SHA512
66747bcb9629421730fd7909e8cf385741d335565fda2796bc6803353d91a4abdc8658d3dd11e12433c83ed8aa099e3b4232d4b0a10408dc45eaf01b0bb604cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwCkjosn.txt
Filesize
43B

MD5
231a2b62e49e8c8ff5f2b629166efa0d

SHA1
689336b77ff41d2c4fabe2fff95ba288c94860ea

SHA256
1df0e755f2abdd2f5c644964a38f578c58b63a36425c65882132728222e4c903

SHA512
b7cc64a84cf7bbd227d86b309644efd7f2d080eeecea3ac7aaa2b919b662e068b7e38e7ab6223b2d86f7732dfca45fed50d24185e8eec8ef9c072c9f6d1a617b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost32

Download Submit
\Users\Admin\AppData\Local\Temp\Eeuxi.exe
Filesize
62KB

MD5
d688b3d533d9c52e3c0c1d3bfa5776d4

SHA1
93a192a0f6eee57cec912737fedca5c3ff3e4cf5

SHA256
582c68421be1066bfbe96b80acbe651ad6981f498b34a031bac13be52cb61396

SHA512
66747bcb9629421730fd7909e8cf385741d335565fda2796bc6803353d91a4abdc8658d3dd11e12433c83ed8aa099e3b4232d4b0a10408dc45eaf01b0bb604cb

Download Submit
memory/760-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/760-55-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1164-76-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/1164-84-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/1164-91-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/1164-88-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/1164-83-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/1164-81-0x000000000040CE5E-mapping.dmp

Download
memory/1164-79-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/1164-78-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/1164-75-0x0000000000090000-0x00000000000A2000-memory.dmp

Filesize
72KB

Download
memory/1680-96-0x0000000000000000-mapping.dmp

Download
memory/1700-74-0x0000000070260000-0x000000007080B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-57-0x0000000000000000-mapping.dmp

Download
memory/1940-93-0x0000000000000000-mapping.dmp

Download
memory/1988-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-68-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-67-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-64-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-63-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-69-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1988-70-0x000000000041049E-mapping.dmp

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads