revengerat | 9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f

General

Target

9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
Size

972KB
MD5

bace24eadab2c4f223dc58709049b633
SHA1

6cf43ccca649bd07f05f118191b3b423e67dc86c
SHA256

9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f
SHA512

79cfaff3ed06701b579c2cd5fdcab633208d490fc0a1d8f1ca456cf8b421aaac47fed18c656a7ebda1c53519098a999beb72f7d2f826ba25c0b6fc639e32f83e

Score

10^/10

revengerat cuidadonoip stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

cuidadonoip

C2

redlan1.hopto.org:3344

Mutex

RV_MUTEX-wawrHJfWfhaR

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3520-131-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Drops startup file 1 IoCs

Processes:

9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMJPSET.url	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe

description	pid	process	target process
PID 1820 set thread context of 3520	1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

RegAsm.exe

description ioc process

File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3520 RegAsm.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3520	RegAsm.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe

pid	process
1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe

pid	process
1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe

description	pid	process	target process
PID 1820 wrote to memory of 3520	1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe	RegAsm.exe
PID 1820 wrote to memory of 3520	1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe	RegAsm.exe
PID 1820 wrote to memory of 3520	1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe	RegAsm.exe
PID 1820 wrote to memory of 3520	1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe	RegAsm.exe
PID 1820 wrote to memory of 3520	1820	9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe
"C:\Users\Admin\AppData\Local\Temp\9698e8777eb27b6304c236f03237e354dafb9bcc5e68559bafe051d58634e69f.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3520-131-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3520-130-0x0000000000000000-mapping.dmp

Download
memory/3520-135-0x0000000073530000-0x0000000073AE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads