revengerat | 86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee

General

Target

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe
Size

73KB
MD5

c614070ca1587a1512a857dd520e22ca
SHA1

ba8f33ced64886e0d8f02ecef1da17f653e8438c
SHA256

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee
SHA512

865aa8428b784119d48ea5969968d5f8b872e22b8b3aab2db7f907324d02290188f0e3d3654650178e013a528f8f5f9265f563b0056b0c365114757869601ead

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 4 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe	revengerat
behavioral2/memory/8-141-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat
behavioral2/memory/8-139-0x0000000000400000-0x0000000000418000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

Eeuxi.exe

pid process

4556 Eeuxi.exe

pid	process
4556	Eeuxi.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Eeuxi.exeRegAsm.exe

description pid process target process

PID 4556 set thread context of 8 4556 Eeuxi.exe RegAsm.exe
PID 8 set thread context of 4468 8 RegAsm.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4556 set thread context of 8	4556	Eeuxi.exe	RegAsm.exe
PID 8 set thread context of 4468	8	RegAsm.exe	RegAsm.exe

Modifies registry class 1 IoCs

Processes:

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4852 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Eeuxi.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 4556 Eeuxi.exe
Token: SeDebugPrivilege 8 RegAsm.exe

pid	process
4852	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	4556	Eeuxi.exe
Token: SeDebugPrivilege	8	RegAsm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exeEeuxi.exeRegAsm.exe

description	pid	process	target process
PID 3232 wrote to memory of 4556	3232	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	Eeuxi.exe
PID 3232 wrote to memory of 4556	3232	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	Eeuxi.exe
PID 3232 wrote to memory of 4556	3232	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	Eeuxi.exe
PID 3232 wrote to memory of 4852	3232	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	NOTEPAD.EXE
PID 3232 wrote to memory of 4852	3232	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	NOTEPAD.EXE
PID 3232 wrote to memory of 4852	3232	86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe	NOTEPAD.EXE
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 4556 wrote to memory of 8	4556	Eeuxi.exe	RegAsm.exe
PID 8 wrote to memory of 4468	8	RegAsm.exe	RegAsm.exe
PID 8 wrote to memory of 4468	8	RegAsm.exe	RegAsm.exe
PID 8 wrote to memory of 4468	8	RegAsm.exe	RegAsm.exe
PID 8 wrote to memory of 4468	8	RegAsm.exe	RegAsm.exe
PID 8 wrote to memory of 4468	8	RegAsm.exe	RegAsm.exe
PID 8 wrote to memory of 4468	8	RegAsm.exe	RegAsm.exe
PID 8 wrote to memory of 4468	8	RegAsm.exe	RegAsm.exe
PID 8 wrote to memory of 4468	8	RegAsm.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe
"C:\Users\Admin\AppData\Local\Temp\86e39626196a841f054a58ba325a49e23699321d28f434532bab873a535f8eee.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Rkcrkt.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4852

C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe
"C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe
Filesize
62KB

MD5
d688b3d533d9c52e3c0c1d3bfa5776d4

SHA1
93a192a0f6eee57cec912737fedca5c3ff3e4cf5

SHA256
582c68421be1066bfbe96b80acbe651ad6981f498b34a031bac13be52cb61396

SHA512
66747bcb9629421730fd7909e8cf385741d335565fda2796bc6803353d91a4abdc8658d3dd11e12433c83ed8aa099e3b4232d4b0a10408dc45eaf01b0bb604cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eeuxi.exe
Filesize
62KB

MD5
d688b3d533d9c52e3c0c1d3bfa5776d4

SHA1
93a192a0f6eee57cec912737fedca5c3ff3e4cf5

SHA256
582c68421be1066bfbe96b80acbe651ad6981f498b34a031bac13be52cb61396

SHA512
66747bcb9629421730fd7909e8cf385741d335565fda2796bc6803353d91a4abdc8658d3dd11e12433c83ed8aa099e3b4232d4b0a10408dc45eaf01b0bb604cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwCkjosn.txt
Filesize
43B

MD5
231a2b62e49e8c8ff5f2b629166efa0d

SHA1
689336b77ff41d2c4fabe2fff95ba288c94860ea

SHA256
1df0e755f2abdd2f5c644964a38f578c58b63a36425c65882132728222e4c903

SHA512
b7cc64a84cf7bbd227d86b309644efd7f2d080eeecea3ac7aaa2b919b662e068b7e38e7ab6223b2d86f7732dfca45fed50d24185e8eec8ef9c072c9f6d1a617b

Download Submit
memory/8-138-0x0000000000000000-mapping.dmp

Download
memory/8-141-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/8-144-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/8-143-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/8-139-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3232-130-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3232-133-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download
memory/3232-132-0x0000000004930000-0x00000000049C2000-memory.dmp

Filesize
584KB

Download
memory/3232-131-0x0000000004A00000-0x0000000004FA4000-memory.dmp

Filesize
5.6MB

Download
memory/4468-146-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4468-145-0x0000000000000000-mapping.dmp

Download
memory/4556-142-0x000000006F670000-0x000000006FC21000-memory.dmp

Filesize
5.7MB

Download
memory/4556-134-0x0000000000000000-mapping.dmp

Download
memory/4852-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads