revengerat | 6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef

General

Target

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
Size

82KB
MD5

6e6667b71a86780268828232d4363f63
SHA1

e6f6cb0f70c628c797d2e79717cc331c8f5d3f76
SHA256

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef
SHA512

6400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395

Score

10^/10

revengerat fram 3 fabio stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

FRAM 3 FABIO

C2

rua7.ddns.net:1000

Mutex

RV_MUTEX-RRHXJvbCGPPiC

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/880-55-0x00000000003F0000-0x00000000003F8000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

NetFramework.exe

pid process

1272 NetFramework.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1272	NetFramework.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exeNetFramework.exe

description	pid	process
Token: SeDebugPrivilege	880	6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
Token: SeDebugPrivilege	1272	NetFramework.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe

description	pid	process	target process
PID 880 wrote to memory of 1272	880	6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe	NetFramework.exe
PID 880 wrote to memory of 1272	880	6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe	NetFramework.exe
PID 880 wrote to memory of 1272	880	6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe	NetFramework.exe

C:\Users\Admin\AppData\Local\Temp\6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
"C:\Users\Admin\AppData\Local\Temp\6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe
Filesize
82KB

MD5
6e6667b71a86780268828232d4363f63

SHA1
e6f6cb0f70c628c797d2e79717cc331c8f5d3f76

SHA256
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef

SHA512
6400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe
Filesize
82KB

MD5
6e6667b71a86780268828232d4363f63

SHA1
e6f6cb0f70c628c797d2e79717cc331c8f5d3f76

SHA256
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef

SHA512
6400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395

Download Submit
memory/880-54-0x0000000001390000-0x00000000013AC000-memory.dmp

Filesize
112KB

Download
memory/880-55-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/1272-56-0x0000000000000000-mapping.dmp

Download
memory/1272-59-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads