revengerat | 052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1

General

Target

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
Size

577KB
MD5

1711710d30ed4194ccfde68c6b6f3b22
SHA1

4f399c035bb370610940a96b3aab90eab884a925
SHA256

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1
SHA512

fbb943b1a20a4fbe0d1d5da5b5b874cb7b728354fc24c4ab1b0d827220052d7b34117980f7a1e993814b83bc02264a8af916a0fd909cbdd065cb11b396fc9353

Score

10^/10

revengerat guest evasion stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

93.155.97.82:333

93.155.97.82:1604

neudria.ddns.net:333

neudria.ddns.net:1604

Mutex

RV_MUTEX-ZFbTXZMONFueOci

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3248-138-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StreamX.Lnk cscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StreamX.Lnk	cscript.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

description	pid	process	target process
PID 4624 set thread context of 3248	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

pid	process
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
Token: SeDebugPrivilege	3248	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.execmd.exe

description	pid	process	target process
PID 4624 wrote to memory of 4892	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cscript.exe
PID 4624 wrote to memory of 4892	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cscript.exe
PID 4624 wrote to memory of 4892	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cscript.exe
PID 4624 wrote to memory of 3248	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 4624 wrote to memory of 3248	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 4624 wrote to memory of 3248	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 4624 wrote to memory of 3248	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 4624 wrote to memory of 3248	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 4624 wrote to memory of 3248	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 4624 wrote to memory of 3248	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	RegAsm.exe
PID 4624 wrote to memory of 1396	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cmd.exe
PID 4624 wrote to memory of 1396	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cmd.exe
PID 4624 wrote to memory of 1396	4624	052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe	cmd.exe
PID 1396 wrote to memory of 3016	1396	cmd.exe	choice.exe
PID 1396 wrote to memory of 3016	1396	cmd.exe	choice.exe
PID 1396 wrote to memory of 3016	1396	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe
"C:\Users\Admin\AppData\Local\Temp\052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\StreamX.vbs
2⤵
- Drops startup file
PID:4892

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:3016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\StreamX.exe

Filesize
577KB

MD5
1711710d30ed4194ccfde68c6b6f3b22

SHA1
4f399c035bb370610940a96b3aab90eab884a925

SHA256
052ee61fb5185d4a7e4406ca459dc6a089fb58e605d58c0a1cd285985b4ce9e1

SHA512
fbb943b1a20a4fbe0d1d5da5b5b874cb7b728354fc24c4ab1b0d827220052d7b34117980f7a1e993814b83bc02264a8af916a0fd909cbdd065cb11b396fc9353

Download Submit
C:\Users\Admin\StreamX.vbs

Filesize
275B

MD5
cf428ca413e6966414f8bd4e04ee48cb

SHA1
1db80df27ddfd1d81d181bc70c312dd3d4388bff

SHA256
15845597e335f71cad5e9b680bd6f1c7de7ba676dbb275b20b67c8fb9c6fc22e

SHA512
befce47732be9891c364db21c740deb0985c03114b1c1a3f83db03d3c0445a45558005125e25d8c897737f6c99e163b07b8fa28985387bf429cad7af00992f08

Download Submit
memory/1396-139-0x0000000000000000-mapping.dmp

Download
memory/3016-140-0x0000000000000000-mapping.dmp

Download
memory/3248-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3248-137-0x0000000000000000-mapping.dmp

Download
memory/3248-141-0x000000006FF00000-0x00000000704B1000-memory.dmp

Filesize
5.7MB

Download
memory/3248-142-0x000000006EB50000-0x000000006F2F8000-memory.dmp

Filesize
7.7MB

Download
memory/3248-143-0x000000006F360000-0x000000006FE60000-memory.dmp

Filesize
11.0MB

Download
memory/3248-144-0x000000006FF00000-0x00000000704B1000-memory.dmp

Filesize
5.7MB

Download
memory/3248-145-0x000000006EB50000-0x000000006F2F8000-memory.dmp

Filesize
7.7MB

Download
memory/3248-146-0x000000006F360000-0x000000006FE60000-memory.dmp

Filesize
11.0MB

Download
memory/4624-136-0x00000000064F0000-0x000000000658C000-memory.dmp

Filesize
624KB

Download
memory/4624-130-0x0000000000E70000-0x0000000000F06000-memory.dmp

Filesize
600KB

Download
memory/4624-132-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4624-131-0x0000000005CF0000-0x000000000621C000-memory.dmp

Filesize
5.2MB

Download
memory/4892-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads