revengerat | abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef

General

Target

abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe
Size

873KB
MD5

36d7527dfeb6545fa18c41686ace0388
SHA1

d5da31212c94e127b21ba0a80e32dc84eb86d0e8
SHA256

abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef
SHA512

c06dde1ebb168d0e7a997d57cd46ae13be2ceec1a60bb09869809bd498b6a42a4101d7a06fbcafe90cddbd16862d1ad73c4405e7b2b9f171639584bb02ed2a56

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

ournewcompany2.hopto.org:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 9 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2008-63-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/2008-67-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/2008-62-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/2008-61-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/2008-71-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1960-73-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/1320-87-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/1044-98-0x0000000000405DCE-mapping.dmp	revengerat
behavioral1/memory/1356-108-0x0000000000405DCE-mapping.dmp	revengerat

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\111.exe	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\111.exe	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe

description	pid	process	target process
PID 1700 set thread context of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 set thread context of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 set thread context of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 set thread context of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 set thread context of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 set thread context of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1616 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1616 powershell.exe
Token: SeDebugPrivilege 1356 RegAsm.exe

pid	process
1616	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1356	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe

description	pid	process	target process
PID 1700 wrote to memory of 1616	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	powershell.exe
PID 1700 wrote to memory of 1616	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	powershell.exe
PID 1700 wrote to memory of 1616	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	powershell.exe
PID 1700 wrote to memory of 1616	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	powershell.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 2008	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1960	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 680	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1320	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1044	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 1700 wrote to memory of 1356	1700	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe
"C:\Users\Admin\AppData\Local\Temp\abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden ( Copy-Item -Path "C:\Users\Admin\AppData\Local\Temp\abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe" -Destination "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\'Start Menu'\Programs\Startup\111.exe" )
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:680

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-79-0x0000000000405DCE-mapping.dmp

Download
memory/1044-116-0x0000000073560000-0x0000000073B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1044-98-0x0000000000405DCE-mapping.dmp

Download
memory/1320-117-0x0000000073560000-0x0000000073B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-87-0x0000000000405DCE-mapping.dmp

Download
memory/1356-119-0x0000000073560000-0x0000000073B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-108-0x0000000000405DCE-mapping.dmp

Download
memory/1616-55-0x0000000000000000-mapping.dmp

Download
memory/1616-57-0x0000000073E30000-0x00000000743DB000-memory.dmp

Filesize
5.7MB

Download
memory/1700-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1960-115-0x0000000073560000-0x0000000073B0B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-73-0x0000000000405DCE-mapping.dmp

Download
memory/2008-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-59-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2008-118-0x0000000073560000-0x0000000073B0B000-memory.dmp

Filesize
5.7MB

Download
memory/2008-63-0x0000000000405DCE-mapping.dmp

Download
memory/2008-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads