revengerat | 06672589c9c70009f9342ba946bcf8f671b7fc3a1f1031b02442f3d85e0afe94

Analysis

max time kernel
91s
max time network
173s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00INVN0987.js
Size

204KB
MD5

3a2a1650aa3f0bdf262b244f636c01c5
SHA1

a7d61b35c91326e983c7d725b1ed8f49162f4758
SHA256

06672589c9c70009f9342ba946bcf8f671b7fc3a1f1031b02442f3d85e0afe94
SHA512

d05201160c7e3331db834a5d986e93c13506e2f28b431ffc452f4aef47266d0a7b0541dc9178cb974f73c18064d964bda5d6d43ce0f3519e5cc1275c7b03fb3f

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

blessed147.ddns.net:8089

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 5 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\001.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\001.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

001.exeClient.exe

pid process

956 001.exe
760 Client.exe

pid	process
956	001.exe
760	Client.exe

Drops startup file 7 IoCs

Processes:

Client.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

001.exeClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	001.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	001.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

001.exeClient.exe

description pid process

Token: SeDebugPrivilege 956 001.exe
Token: SeDebugPrivilege 760 Client.exe

description	pid	process
Token: SeDebugPrivilege	956	001.exe
Token: SeDebugPrivilege	760	Client.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.exe001.exeClient.exevbc.exe

description	pid	process	target process
PID 1364 wrote to memory of 1316	1364	wscript.exe	wscript.exe
PID 1364 wrote to memory of 1316	1364	wscript.exe	wscript.exe
PID 1364 wrote to memory of 1316	1364	wscript.exe	wscript.exe
PID 1364 wrote to memory of 956	1364	wscript.exe	001.exe
PID 1364 wrote to memory of 956	1364	wscript.exe	001.exe
PID 1364 wrote to memory of 956	1364	wscript.exe	001.exe
PID 956 wrote to memory of 760	956	001.exe	Client.exe
PID 956 wrote to memory of 760	956	001.exe	Client.exe
PID 956 wrote to memory of 760	956	001.exe	Client.exe
PID 760 wrote to memory of 1512	760	Client.exe	vbc.exe
PID 760 wrote to memory of 1512	760	Client.exe	vbc.exe
PID 760 wrote to memory of 1512	760	Client.exe	vbc.exe
PID 1512 wrote to memory of 1680	1512	vbc.exe	cvtres.exe
PID 1512 wrote to memory of 1680	1512	vbc.exe	cvtres.exe
PID 1512 wrote to memory of 1680	1512	vbc.exe	cvtres.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\00INVN0987.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\myNUstntrH.js"
2⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\001.exe
"C:\Users\Admin\AppData\Local\Temp\001.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eosahawn.cmdline"
4⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcACE3.tmp"
5⤵
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\001.exe
Filesize
86KB

MD5
117fa52c8400ad57e1a32503e7138abc

SHA1
e6cfae7554a85bf343089ba627688ff122188a9e

SHA256
e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

SHA512
e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\001.exe
Filesize
86KB

MD5
117fa52c8400ad57e1a32503e7138abc

SHA1
e6cfae7554a85bf343089ba627688ff122188a9e

SHA256
e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

SHA512
e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESACF4.tmp
Filesize
1KB

MD5
b1bcdb2a07819b8ecab7735148e3668e

SHA1
5ec0fbf507dc963b7ac87998aa435b30ea070b0d

SHA256
d5b868f4497b6dcf823318e143fe71e41279b19811de9b9fbfbd01cf0d08380e

SHA512
ecdcb56338ca808939bb1bc2aa17bcdfc6343d1211ec43ac7c82edc0921e62921beb04a3feda0308f47b6467f9fa9ad966cc4e6c0783181b7be758b497480562

Download Submit
C:\Users\Admin\AppData\Local\Temp\eosahawn.0.vb
Filesize
150B

MD5
1b4fb5e3edf737cc570101af098b8b8b

SHA1
697dbfdbc070868122e4d909e3115547c82ff5ed

SHA256
d667f032a9538d08f05f8ac3c53d791251bc709ce6ea2ad2b8d2dbff9e3dff31

SHA512
c85eab737e23aa984a6d18035ec122ef711d54b405efb1476f5226c3f140cb5c208543f8111d13747ca563926cc244e6ec0f8b5593b1ca75bc2e07bb6aa7f387

Download Submit
C:\Users\Admin\AppData\Local\Temp\eosahawn.cmdline
Filesize
194B

MD5
b44e54b6358065a3e2baeb06ad8aa868

SHA1
2e7530a21fd0bfe7321e300c47137b9172b6e8ba

SHA256
41c4275e619b870488c27f296bad0bcab33562e14c09c1ef8596b78fe9dfe3e3

SHA512
c9a2d3470b711522978d2ac177e02acd8ee4a6ecd21b20c35f3f6bcf1fbbd58818d59adb6585eaab09861fcdae826c9dd99588279885ebda804d742ba1fcbe73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcACE3.tmp
Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
86KB

MD5
117fa52c8400ad57e1a32503e7138abc

SHA1
e6cfae7554a85bf343089ba627688ff122188a9e

SHA256
e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

SHA512
e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
86KB

MD5
117fa52c8400ad57e1a32503e7138abc

SHA1
e6cfae7554a85bf343089ba627688ff122188a9e

SHA256
e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

SHA512
e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
Filesize
86KB

MD5
117fa52c8400ad57e1a32503e7138abc

SHA1
e6cfae7554a85bf343089ba627688ff122188a9e

SHA256
e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

SHA512
e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Download Submit
C:\Users\Admin\AppData\Roaming\myNUstntrH.js
Filesize
17KB

MD5
7fcc69ae32f6a2886980fb92a08bf480

SHA1
8cb6feca11b461acef5878e9473dbe62f34aa65f

SHA256
89cc7795ed9ad5189dca10a64a89cd3bfd59ed1e6aa17137f45846574e35bdd4

SHA512
684d5345e6190948fc9f915beeb040dbb7ac28b6865925fcdc11778f63cfdecd7feddd2e5dad44b0e4b0478943e3d88ce4f04c0f8b382fcdfbe3fef044b73cd3

Download Submit
memory/760-63-0x0000000000000000-mapping.dmp

Download
memory/760-66-0x000007FEF4180000-0x000007FEF4BA3000-memory.dmp

Filesize
10.1MB

Download
memory/760-67-0x000007FEEEA10000-0x000007FEEFAA6000-memory.dmp

Filesize
16.6MB

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/956-61-0x000007FEF3840000-0x000007FEF48D6000-memory.dmp

Filesize
16.6MB

Download
memory/956-60-0x000007FEF4B20000-0x000007FEF5543000-memory.dmp

Filesize
10.1MB

Download
memory/1316-55-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

Filesize
8KB

Download
memory/1512-69-0x0000000000000000-mapping.dmp

Download
memory/1680-73-0x0000000000000000-mapping.dmp

Download