revengerat | f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa

Analysis

max time kernel
150s
max time network
40s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe
Size

146KB
MD5

02160709e380779caaf845dc207e4748
SHA1

e0caa564e6b7c059bc1ef5a787f2f44b4b0823fd
SHA256

f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa
SHA512

3b1bd7537410a7b83836ba72c840a0facd00df409f40764dcbd3d06a77cbd2593a133991b58ee05b41e27bed6c73548ed48c3e002effa7f6abc3e64a909d9b80

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 12 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1996-59-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1996-60-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1996-61-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1996-62-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1996-63-0x000000000042551E-mapping.dmp	revengerat
behavioral1/memory/1996-65-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
\Users\Admin\AppData\Roaming\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\svchost.exe	revengerat
behavioral1/memory/1424-91-0x000000000042551E-mapping.dmp	revengerat
\Users\Admin\AppData\Roaming\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	revengerat

Drops file in Drivers directory 1 IoCs

Processes:

aspnet_compiler.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts aspnet_compiler.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1460 svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	aspnet_compiler.exe

pid	process
1460	svchost.exe

Drops startup file 7 IoCs

Processes:

aspnet_compiler.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.js	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	aspnet_compiler.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.URL	aspnet_compiler.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	vbc.exe

Loads dropped DLL 2 IoCs

Processes:

aspnet_compiler.exeaspnet_compiler.exe

pid process

1996 aspnet_compiler.exe
1424 aspnet_compiler.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1996	aspnet_compiler.exe
1424	aspnet_compiler.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exeaspnet_compiler.exesvchost.exeaspnet_compiler.exe

description	pid	process	target process
PID 1972 set thread context of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1996 set thread context of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1460 set thread context of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1424 set thread context of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exeaspnet_compiler.exesvchost.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe
Token: SeDebugPrivilege	1996	aspnet_compiler.exe
Token: SeDebugPrivilege	1460	svchost.exe
Token: SeDebugPrivilege	1424	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exeaspnet_compiler.exesvchost.exeaspnet_compiler.exevbc.exe

description	pid	process	target process
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1972 wrote to memory of 1996	1972	f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1796	1996	aspnet_compiler.exe	aspnet_compiler.exe
PID 1996 wrote to memory of 1460	1996	aspnet_compiler.exe	svchost.exe
PID 1996 wrote to memory of 1460	1996	aspnet_compiler.exe	svchost.exe
PID 1996 wrote to memory of 1460	1996	aspnet_compiler.exe	svchost.exe
PID 1996 wrote to memory of 1460	1996	aspnet_compiler.exe	svchost.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1460 wrote to memory of 1424	1460	svchost.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 1164	1424	aspnet_compiler.exe	aspnet_compiler.exe
PID 1424 wrote to memory of 400	1424	aspnet_compiler.exe	vbc.exe
PID 1424 wrote to memory of 400	1424	aspnet_compiler.exe	vbc.exe
PID 1424 wrote to memory of 400	1424	aspnet_compiler.exe	vbc.exe
PID 1424 wrote to memory of 400	1424	aspnet_compiler.exe	vbc.exe
PID 400 wrote to memory of 1644	400	vbc.exe	cvtres.exe
PID 400 wrote to memory of 1644	400	vbc.exe	cvtres.exe
PID 400 wrote to memory of 1644	400	vbc.exe	cvtres.exe
PID 400 wrote to memory of 1644	400	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe
"C:\Users\Admin\AppData\Local\Temp\f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:1796

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
4⤵
- Drops file in Drivers directory
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
5⤵
PID:1164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kpwa5icv\kpwa5icv.cmdline"
5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFF8318EBAED74A08BC7C1F5D4035D42D.TMP"
6⤵
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7F10.tmp
Filesize
1KB

MD5
659f0a4e93c71c7e94f1c27da0b8d739

SHA1
e9bb7a4bc2157eafeb39bf8a955293406fcc5059

SHA256
86ee83c290d0bc59103e47f6c8d637306d86b4229e67154e96ab99601c1f9572

SHA512
fbf8e753096f7a8a0dda10d00e437001a8a1bf4893966e10d4d35dbc6c60317a05f164fa99486dbc3afcacb5e6da9fd6d17ec79665ccf22ff63b6ec2356bf31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SClgZbl.txt
Filesize
42B

MD5
6deeb2de7e2d8bee61293cb1b434a589

SHA1
b57f6ac8a7a8d747e5dc3910237a122cf818f14e

SHA256
c07d70212cd0e088ea25a172f0ed48855e0673ecd8b337359ea7117e5f50e344

SHA512
e90b7bc97a0d30fadfbf109c48b419655d72aacce1aa345cdd6343f3a4f52c8640bc57f768af27c940f0f64b7deab7a556a755de2b521bb442f16e27f5a5ebe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SClgZbl.txt
Filesize
102B

MD5
bf7e79674b57c0a8fd9bdbfe40790b86

SHA1
af2867cfca7727e3212fbc3ce3b65bf329943f06

SHA256
4b71c36f31cecacefb4db6d4adcceddd16bdbfb92cecc8dd828faa20227740d9

SHA512
418ad3de4fa5e37d1e5635ac3e21bad7b2bcb6b26e5729232b205df171a26b99525ef232eb2a6986daf8760dca9fbc14bbed4f52b20345aacc8ec201b227903b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpwa5icv\kpwa5icv.0.vb
Filesize
152B

MD5
96583e93a9f74d644c9dc5a24e7d657c

SHA1
4d5d628c7a4474cb6598e371a1f11316d8a620d8

SHA256
78d6591fce81a715565e4cebaa31b16de97951db137a9161b1a33ff63b85d02c

SHA512
dfd8314378b4e2aa4266b4c9820a087537b2aa3a0e1f12aa56e56086ca0a5f9d7c18a85647553139dcd60c4a4bbc56ccc3377ffc6dde790eb27d5cbb6ac0bafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpwa5icv\kpwa5icv.cmdline
Filesize
204B

MD5
0f17ee70cabdb146310350bef937a8bd

SHA1
678359601526a725d79fce20b22aefbbbe0f3122

SHA256
1416f5fcbb9be163b7c65918bea867ba010e1c211ee03f49c99d27ed2df66cee

SHA512
26ee6fb3aedc8b7f90d25ea255e47122314dc68bd26ce357bf3d6b31c1fe0b7d3f4f3ad2962c51dc94095b57e2500eab7388db0aeb21b7510af5b12a1d1eae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFF8318EBAED74A08BC7C1F5D4035D42D.TMP
Filesize
1KB

MD5
b10290e193d94a5e3c95660f0626a397

SHA1
7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

SHA256
75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

SHA512
6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Filesize
146KB

MD5
02160709e380779caaf845dc207e4748

SHA1
e0caa564e6b7c059bc1ef5a787f2f44b4b0823fd

SHA256
f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa

SHA512
3b1bd7537410a7b83836ba72c840a0facd00df409f40764dcbd3d06a77cbd2593a133991b58ee05b41e27bed6c73548ed48c3e002effa7f6abc3e64a909d9b80

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
146KB

MD5
02160709e380779caaf845dc207e4748

SHA1
e0caa564e6b7c059bc1ef5a787f2f44b4b0823fd

SHA256
f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa

SHA512
3b1bd7537410a7b83836ba72c840a0facd00df409f40764dcbd3d06a77cbd2593a133991b58ee05b41e27bed6c73548ed48c3e002effa7f6abc3e64a909d9b80

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
146KB

MD5
02160709e380779caaf845dc207e4748

SHA1
e0caa564e6b7c059bc1ef5a787f2f44b4b0823fd

SHA256
f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa

SHA512
3b1bd7537410a7b83836ba72c840a0facd00df409f40764dcbd3d06a77cbd2593a133991b58ee05b41e27bed6c73548ed48c3e002effa7f6abc3e64a909d9b80

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
146KB

MD5
02160709e380779caaf845dc207e4748

SHA1
e0caa564e6b7c059bc1ef5a787f2f44b4b0823fd

SHA256
f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa

SHA512
3b1bd7537410a7b83836ba72c840a0facd00df409f40764dcbd3d06a77cbd2593a133991b58ee05b41e27bed6c73548ed48c3e002effa7f6abc3e64a909d9b80

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
146KB

MD5
02160709e380779caaf845dc207e4748

SHA1
e0caa564e6b7c059bc1ef5a787f2f44b4b0823fd

SHA256
f1314a9c63f3c2b7874a3fee77a4ef1cf41c334ff595e1b09b185148c6679daa

SHA512
3b1bd7537410a7b83836ba72c840a0facd00df409f40764dcbd3d06a77cbd2593a133991b58ee05b41e27bed6c73548ed48c3e002effa7f6abc3e64a909d9b80

Download Submit
memory/400-109-0x0000000000000000-mapping.dmp

Download
memory/1164-101-0x000000000040ABC6-mapping.dmp

Download
memory/1424-91-0x000000000042551E-mapping.dmp

Download
memory/1460-93-0x00000000747B0000-0x0000000074D5B000-memory.dmp

Filesize
5.7MB

Download
memory/1460-80-0x0000000000000000-mapping.dmp

Download
memory/1644-113-0x0000000000000000-mapping.dmp

Download
memory/1796-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1796-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1796-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1796-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1796-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1796-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1796-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1796-72-0x000000000040ABC6-mapping.dmp

Download
memory/1972-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1996-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1996-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1996-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1996-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1996-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1996-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1996-63-0x000000000042551E-mapping.dmp

Download