revengerat | 08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779

General

Target

08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
Size

345KB
MD5

b4f7d6c32fd88f6f0743eb92dead9508
SHA1

148dc196a6c47cf25e09b626d061c9ea1d5ba531
SHA256

08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779
SHA512

119fd596fbfe7e97a5bfdb2d39e681e038adcf31aaeea7c4c884a908dc6736ec36991b55e69a374832553bb41bfae02b35264b54a5ed076bde0db7bfa25f3a42

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

185.29.10.15:6984

Mutex

RV_MUTEX-LuSAtYBxGgZH

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4196-138-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe

description	pid	process	target process
PID 4388 set thread context of 4196	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe

description	pid	process
Token: SeDebugPrivilege	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
Token: SeDebugPrivilege	4196	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe

description	pid	process	target process
PID 4388 wrote to memory of 4196	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
PID 4388 wrote to memory of 4196	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
PID 4388 wrote to memory of 4196	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
PID 4388 wrote to memory of 4196	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
PID 4388 wrote to memory of 4196	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
PID 4388 wrote to memory of 4196	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
PID 4388 wrote to memory of 4196	4388	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe	08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe

C:\Users\Admin\AppData\Local\Temp\08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
"C:\Users\Admin\AppData\Local\Temp\08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe
"C:\Users\Admin\AppData\Local\Temp\08812395ae9ee8cced9280aa0da4186a06d69e9bc2a1aef970ca383f504a4779.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4196-137-0x0000000000000000-mapping.dmp

Download
memory/4196-142-0x0000000000EC0000-0x0000000000F1E000-memory.dmp

Filesize
376KB

Download
memory/4196-141-0x0000000000EC0000-0x0000000000F1E000-memory.dmp

Filesize
376KB

Download
memory/4196-140-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/4196-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4388-136-0x0000000009F40000-0x0000000009FDC000-memory.dmp

Filesize
624KB

Download
memory/4388-130-0x0000000000570000-0x00000000005CE000-memory.dmp

Filesize
376KB

Download
memory/4388-135-0x0000000000570000-0x00000000005CE000-memory.dmp

Filesize
376KB

Download
memory/4388-134-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/4388-139-0x0000000000570000-0x00000000005CE000-memory.dmp

Filesize
376KB

Download
memory/4388-133-0x0000000004F80000-0x0000000005012000-memory.dmp

Filesize
584KB

Download
memory/4388-132-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/4388-131-0x0000000000570000-0x00000000005CE000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads