revengerat | 2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4

General

Target

2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe
Size

69KB
MD5

7a8741e0e7279c649172efbfeae3735b
SHA1

7087c77fc72af28a5a72afcc1a16f7b56c84cb27
SHA256

2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4
SHA512

1b9359cc3638412919b3bb5d6dabe7c5b5014eeb36bea5bf94cbd8cbf25d1a20804f4c0ee9ec46d0480549955d24aebdd93e0839b46a9eb51a93d6aea2e86488

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 10 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Hqgklhovvqvg.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Hqgklhovvqvg.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Hqgklhovvqvg.exe	revengerat
behavioral1/memory/1960-66-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/1960-67-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/1960-68-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/1960-69-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
behavioral1/memory/1960-70-0x000000000040F74E-mapping.dmp	revengerat
behavioral1/memory/1960-72-0x0000000000400000-0x0000000000416000-memory.dmp	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost32	revengerat

Executes dropped EXE 1 IoCs

Processes:

Hqgklhovvqvg.exe

pid process

520 Hqgklhovvqvg.exe
Loads dropped DLL 1 IoCs

Processes:

2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe

pid process

1032 2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe

pid	process
520	Hqgklhovvqvg.exe

pid	process
1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Hqgklhovvqvg.exeRegAsm.exe

description	pid	process	target process
PID 520 set thread context of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 1960 set thread context of 1156	1960	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2032 NOTEPAD.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Hqgklhovvqvg.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 520 Hqgklhovvqvg.exe
Token: SeDebugPrivilege 1960 RegAsm.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1444 AcroRd32.exe
1444 AcroRd32.exe
1444 AcroRd32.exe

pid	process
2032	NOTEPAD.EXE

description	pid	process
Token: SeDebugPrivilege	520	Hqgklhovvqvg.exe
Token: SeDebugPrivilege	1960	RegAsm.exe

pid	process
1444	AcroRd32.exe
1444	AcroRd32.exe
1444	AcroRd32.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exeHqgklhovvqvg.exeRegAsm.exerundll32.exe

description	pid	process	target process
PID 1032 wrote to memory of 2032	1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe	NOTEPAD.EXE
PID 1032 wrote to memory of 2032	1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe	NOTEPAD.EXE
PID 1032 wrote to memory of 2032	1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe	NOTEPAD.EXE
PID 1032 wrote to memory of 2032	1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe	NOTEPAD.EXE
PID 1032 wrote to memory of 520	1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe	Hqgklhovvqvg.exe
PID 1032 wrote to memory of 520	1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe	Hqgklhovvqvg.exe
PID 1032 wrote to memory of 520	1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe	Hqgklhovvqvg.exe
PID 1032 wrote to memory of 520	1032	2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe	Hqgklhovvqvg.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 520 wrote to memory of 1960	520	Hqgklhovvqvg.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1156	1960	RegAsm.exe	RegAsm.exe
PID 1960 wrote to memory of 1948	1960	RegAsm.exe	rundll32.exe
PID 1960 wrote to memory of 1948	1960	RegAsm.exe	rundll32.exe
PID 1960 wrote to memory of 1948	1960	RegAsm.exe	rundll32.exe
PID 1960 wrote to memory of 1948	1960	RegAsm.exe	rundll32.exe
PID 1960 wrote to memory of 1948	1960	RegAsm.exe	rundll32.exe
PID 1960 wrote to memory of 1948	1960	RegAsm.exe	rundll32.exe
PID 1960 wrote to memory of 1948	1960	RegAsm.exe	rundll32.exe
PID 1948 wrote to memory of 1444	1948	rundll32.exe	AcroRd32.exe
PID 1948 wrote to memory of 1444	1948	rundll32.exe	AcroRd32.exe
PID 1948 wrote to memory of 1444	1948	rundll32.exe	AcroRd32.exe
PID 1948 wrote to memory of 1444	1948	rundll32.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe
"C:\Users\Admin\AppData\Local\Temp\2bbaca2a87764bc28c643709da48f8460c2144b22faf750fefcaa9d7307f26b4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Ptqrcicefw.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:2032

C:\Users\Admin\AppData\Local\Temp\Hqgklhovvqvg.exe
"C:\Users\Admin\AppData\Local\Temp\Hqgklhovvqvg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1156

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost32
4⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost32"
5⤵
- Suspicious use of SetWindowsHookEx
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AEKgHDMFLR.txt
Filesize
50B

MD5
2bc03073884a7c0f98af64ef7001d38f

SHA1
9577202e61e3f01bb85375e2f02786c49857405b

SHA256
5bc7c1cae73e66ed59145dbfdedd3d96f9c2a571305660ed726ac405acd9edd6

SHA512
92a4a34bbebdf5b7c929cf97371b3a80df7fbf34f539ab508a46f8e7e7dc2d51b7b703d92a223de51c6d3a43c0ca788d9ba577560e4da1d74e976a9e641a548d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hqgklhovvqvg.exe
Filesize
59KB

MD5
ccf82f14b4a0ff65e19f4e82f08084bf

SHA1
25e36faea903fd90281e80e1603bd58de5206a39

SHA256
9810bd3836ddd9e29bead8d7312d33c611e120f49b9d3569a8d613121a956e17

SHA512
ea121df7e929bebf394fcfbfb895030810609a4b6541bbd373ec9127114faa38f9c63d79f2ca1b415e658effaebf9e7b4b045e016eb683f8b1fde42138770be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hqgklhovvqvg.exe
Filesize
59KB

MD5
ccf82f14b4a0ff65e19f4e82f08084bf

SHA1
25e36faea903fd90281e80e1603bd58de5206a39

SHA256
9810bd3836ddd9e29bead8d7312d33c611e120f49b9d3569a8d613121a956e17

SHA512
ea121df7e929bebf394fcfbfb895030810609a4b6541bbd373ec9127114faa38f9c63d79f2ca1b415e658effaebf9e7b4b045e016eb683f8b1fde42138770be2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\svchost32
Filesize
59KB

MD5
ccf82f14b4a0ff65e19f4e82f08084bf

SHA1
25e36faea903fd90281e80e1603bd58de5206a39

SHA256
9810bd3836ddd9e29bead8d7312d33c611e120f49b9d3569a8d613121a956e17

SHA512
ea121df7e929bebf394fcfbfb895030810609a4b6541bbd373ec9127114faa38f9c63d79f2ca1b415e658effaebf9e7b4b045e016eb683f8b1fde42138770be2

Download Submit
\Users\Admin\AppData\Local\Temp\Hqgklhovvqvg.exe
Filesize
59KB

MD5
ccf82f14b4a0ff65e19f4e82f08084bf

SHA1
25e36faea903fd90281e80e1603bd58de5206a39

SHA256
9810bd3836ddd9e29bead8d7312d33c611e120f49b9d3569a8d613121a956e17

SHA512
ea121df7e929bebf394fcfbfb895030810609a4b6541bbd373ec9127114faa38f9c63d79f2ca1b415e658effaebf9e7b4b045e016eb683f8b1fde42138770be2

Download Submit
memory/520-59-0x0000000000000000-mapping.dmp

Download
memory/520-73-0x000000006FB60000-0x000000007010B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-55-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download
memory/1032-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1156-81-0x000000000040CE5E-mapping.dmp

Download
memory/1156-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-84-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1444-91-0x0000000000000000-mapping.dmp

Download
memory/1948-88-0x0000000000000000-mapping.dmp

Download
memory/1960-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1960-72-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1960-70-0x000000000040F74E-mapping.dmp

Download
memory/1960-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1960-68-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1960-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1960-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1960-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2032-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads