revengerat | f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73

General

Target

f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe
Size

56KB
MD5

dd647c179fae75262e8c2a8a3bd433e3
SHA1

768f0723d57dcd9a83bb66b16451c12d50c81f89
SHA256

f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73
SHA512

db99b7f472e3d8f03f85a32967d4b446ccda449e83a00c2eb6738107c076e984d57774bca0235383cb5f7fbf1a344fd54a7ad5626b08d068e96228100eb46e20

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Client.exe	revengerat
C:\Windows\SysWOW64\Client.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

3448 Client.exe

pid	process
3448	Client.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe

Drops startup file 2 IoCs

Processes:

Client.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Drops file in System32 directory 3 IoCs

Processes:

f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exeClient.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Client.exe	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe
File opened for modification	C:\Windows\SysWOW64\Client.exe	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe
File created	C:\Windows\SysWOW64\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exeClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	1204	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe
Token: SeDebugPrivilege	3448	Client.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe

description	pid	process	target process
PID 1204 wrote to memory of 3448	1204	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe	Client.exe
PID 1204 wrote to memory of 3448	1204	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe	Client.exe
PID 1204 wrote to memory of 3448	1204	f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe
"C:\Users\Admin\AppData\Local\Temp\f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\Client.exe
"C:\Windows\system32\Client.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Client.exe
Filesize
56KB

MD5
dd647c179fae75262e8c2a8a3bd433e3

SHA1
768f0723d57dcd9a83bb66b16451c12d50c81f89

SHA256
f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73

SHA512
db99b7f472e3d8f03f85a32967d4b446ccda449e83a00c2eb6738107c076e984d57774bca0235383cb5f7fbf1a344fd54a7ad5626b08d068e96228100eb46e20

Download Submit
C:\Windows\SysWOW64\Client.exe
Filesize
56KB

MD5
dd647c179fae75262e8c2a8a3bd433e3

SHA1
768f0723d57dcd9a83bb66b16451c12d50c81f89

SHA256
f167685c3f56500736c2946ef25ddffe3e7a8b6b92d30c3d065bebfdbae70d73

SHA512
db99b7f472e3d8f03f85a32967d4b446ccda449e83a00c2eb6738107c076e984d57774bca0235383cb5f7fbf1a344fd54a7ad5626b08d068e96228100eb46e20

Download Submit
memory/1204-130-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/3448-131-0x0000000000000000-mapping.dmp

Download
memory/3448-134-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads