revengerat | abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef

General

Target

abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe
Size

873KB
MD5

36d7527dfeb6545fa18c41686ace0388
SHA1

d5da31212c94e127b21ba0a80e32dc84eb86d0e8
SHA256

abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef
SHA512

c06dde1ebb168d0e7a997d57cd46ae13be2ceec1a60bb09869809bd498b6a42a4101d7a06fbcafe90cddbd16862d1ad73c4405e7b2b9f171639584bb02ed2a56

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

ournewcompany2.hopto.org:333

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2128-142-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/1620-144-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/4816-140-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/5068-138-0x0000000000000000-mapping.dmp	revengerat
behavioral2/memory/1428-137-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral2/memory/1428-136-0x0000000000000000-mapping.dmp	revengerat

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\111.exe	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\111.exe	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe

description	pid	process	target process
PID 968 set thread context of 1428	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 set thread context of 5068	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 set thread context of 4816	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 set thread context of 2128	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 set thread context of 1620	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 set thread context of 1628	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3500 1628 WerFault.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3984 powershell.exe
3984 powershell.exe

pid	pid_target	process	target process
3500	1628	WerFault.exe	RegAsm.exe

pid	process
3984	powershell.exe
3984	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	4816	RegAsm.exe
Token: SeDebugPrivilege	5068	RegAsm.exe
Token: SeDebugPrivilege	1620	RegAsm.exe
Token: SeDebugPrivilege	2128	RegAsm.exe
Token: SeDebugPrivilege	1428	RegAsm.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe

description	pid	process	target process
PID 968 wrote to memory of 3984	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	powershell.exe
PID 968 wrote to memory of 3984	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	powershell.exe
PID 968 wrote to memory of 3984	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	powershell.exe
PID 968 wrote to memory of 1428	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1428	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1428	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1428	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1428	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1428	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1428	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 5068	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 5068	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 5068	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 5068	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 5068	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 5068	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 5068	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 4816	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 4816	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 4816	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 4816	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 4816	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 4816	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 4816	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 2128	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 2128	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 2128	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 2128	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 2128	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 2128	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 2128	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1620	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1620	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1620	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1620	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1620	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1620	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1620	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1628	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1628	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1628	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe
PID 968 wrote to memory of 1628	968	abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe
"C:\Users\Admin\AppData\Local\Temp\abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden ( Copy-Item -Path "C:\Users\Admin\AppData\Local\Temp\abaadb13e68f75e822c4d9468506cdeeb747eb88c7fec0f68b8b5b6d975b91ef.exe" -Destination "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\'Start Menu'\Programs\Startup\111.exe" )
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 80
3⤵
- Program crash
PID:3500

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1628 -ip 1628
1⤵
PID:624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log
Filesize
411B

MD5
aa1e14353932d87c160bcc8b1f025429

SHA1
8be59f98296c1c5b9fb5ad84888d2a8dc6a3377d

SHA256
1c644f557743292853209410644526419eee72bfee8bfec839212b06d3b5e739

SHA512
7aec11c636bfe228d2029b87f980e979de9c214264eb2dbaa25186084e39f8732a83d44580300f98a15a1a9c0637e748c1f3eb4f46520ef4c6caaae07347033b

Download Submit
memory/1428-152-0x00000000701C0000-0x0000000070771000-memory.dmp

Filesize
5.7MB

Download
memory/1428-136-0x0000000000000000-mapping.dmp

Download
memory/1428-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1620-153-0x00000000701C0000-0x0000000070771000-memory.dmp

Filesize
5.7MB

Download
memory/1620-144-0x0000000000000000-mapping.dmp

Download
memory/1628-146-0x0000000000000000-mapping.dmp

Download
memory/2128-142-0x0000000000000000-mapping.dmp

Download
memory/2128-150-0x00000000701C0000-0x0000000070771000-memory.dmp

Filesize
5.7MB

Download
memory/3984-132-0x0000000004F50000-0x0000000005578000-memory.dmp

Filesize
6.2MB

Download
memory/3984-131-0x00000000048E0000-0x0000000004916000-memory.dmp

Filesize
216KB

Download
memory/3984-135-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/3984-134-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/3984-148-0x0000000005E10000-0x0000000005E2E000-memory.dmp

Filesize
120KB

Download
memory/3984-133-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/3984-158-0x00000000074F0000-0x0000000007A94000-memory.dmp

Filesize
5.6MB

Download
memory/3984-130-0x0000000000000000-mapping.dmp

Download
memory/3984-157-0x00000000063D0000-0x00000000063F2000-memory.dmp

Filesize
136KB

Download
memory/3984-156-0x0000000006350000-0x000000000636A000-memory.dmp

Filesize
104KB

Download
memory/3984-155-0x0000000006EA0000-0x0000000006F36000-memory.dmp

Filesize
600KB

Download
memory/4816-154-0x00000000701C0000-0x0000000070771000-memory.dmp

Filesize
5.7MB

Download
memory/4816-140-0x0000000000000000-mapping.dmp

Download
memory/5068-151-0x00000000701C0000-0x0000000070771000-memory.dmp

Filesize
5.7MB

Download
memory/5068-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads