revengerat | e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

General

Target

0x000a0000000122da-58.exe
Size

86KB
MD5

117fa52c8400ad57e1a32503e7138abc
SHA1

e6cfae7554a85bf343089ba627688ff122188a9e
SHA256

e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce
SHA512

e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

blessed147.ddns.net:8089

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 3 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

268 Client.exe

pid	process
268	Client.exe

Drops startup file 7 IoCs

Processes:

Client.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.js	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.lnk	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.URL	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.vbs	Client.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exe0x000a0000000122da-58.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Client.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Client.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	0x000a0000000122da-58.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0x000a0000000122da-58.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0x000a0000000122da-58.exeClient.exe

description pid process

Token: SeDebugPrivilege 776 0x000a0000000122da-58.exe
Token: SeDebugPrivilege 268 Client.exe

description	pid	process
Token: SeDebugPrivilege	776	0x000a0000000122da-58.exe
Token: SeDebugPrivilege	268	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0x000a0000000122da-58.exeClient.exevbc.exe

description	pid	process	target process
PID 776 wrote to memory of 268	776	0x000a0000000122da-58.exe	Client.exe
PID 776 wrote to memory of 268	776	0x000a0000000122da-58.exe	Client.exe
PID 776 wrote to memory of 268	776	0x000a0000000122da-58.exe	Client.exe
PID 268 wrote to memory of 1800	268	Client.exe	vbc.exe
PID 268 wrote to memory of 1800	268	Client.exe	vbc.exe
PID 268 wrote to memory of 1800	268	Client.exe	vbc.exe
PID 1800 wrote to memory of 740	1800	vbc.exe	cvtres.exe
PID 1800 wrote to memory of 740	1800	vbc.exe	cvtres.exe
PID 1800 wrote to memory of 740	1800	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\0x000a0000000122da-58.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a0000000122da-58.exe"
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v5esxkt-.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4980.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4970.tmp"
4⤵
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4980.tmp
Filesize
1KB

MD5
bf16bebfc07e9fefe78e14755ba6a175

SHA1
f506956e6ff6a8ebaa5beef746c807a124b2ccef

SHA256
7be0ad327a5b8d6493a55597b61a1530ace316b83d18d99a2b6c0e099bb2474e

SHA512
17adaa2f89be2919ad22b412907f0542448a7f344a0de72d48190b167bb3e1b669dfe4ef2e565b4978b19f87c20d40b9b2605026f7d2eed5e4394e420d30b499

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5esxkt-.0.vb
Filesize
150B

MD5
1b4fb5e3edf737cc570101af098b8b8b

SHA1
697dbfdbc070868122e4d909e3115547c82ff5ed

SHA256
d667f032a9538d08f05f8ac3c53d791251bc709ce6ea2ad2b8d2dbff9e3dff31

SHA512
c85eab737e23aa984a6d18035ec122ef711d54b405efb1476f5226c3f140cb5c208543f8111d13747ca563926cc244e6ec0f8b5593b1ca75bc2e07bb6aa7f387

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5esxkt-.cmdline
Filesize
194B

MD5
d97b582ab70b313114a9566639e399a4

SHA1
5d8d377846481db4f030884fb239dc5dc6ebd16e

SHA256
fcba2231d3a3dac7a8133d4cb612db03fb63481a6ea32da944a46d89120418a0

SHA512
4ac6fdbde3bb7008b4ff823c4bcc819117debe58048b877f1ff2779433b33cebdd8f5e34786171de92e5a082a06a041b1d85776d05d6936ee839fa76d7a9efe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4970.tmp
Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
86KB

MD5
117fa52c8400ad57e1a32503e7138abc

SHA1
e6cfae7554a85bf343089ba627688ff122188a9e

SHA256
e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

SHA512
e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
86KB

MD5
117fa52c8400ad57e1a32503e7138abc

SHA1
e6cfae7554a85bf343089ba627688ff122188a9e

SHA256
e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

SHA512
e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
Filesize
86KB

MD5
117fa52c8400ad57e1a32503e7138abc

SHA1
e6cfae7554a85bf343089ba627688ff122188a9e

SHA256
e2b4fb5fd4705700ffa3423a9384039f03967d60c6eac79cc9b9171401ea19ce

SHA512
e615ad092197caca9e6b60d9599b1dc6b66554d9030237bfb109ffc2fbd851efbc623037fe0c9d776cbac9ae8ef232e84b3432df7bed653f343269cac8a17f23

Download Submit
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/268-61-0x000007FEF21D0000-0x000007FEF3266000-memory.dmp

Filesize
16.6MB

Download
memory/268-60-0x000007FEF4600000-0x000007FEF5023000-memory.dmp

Filesize
10.1MB

Download
memory/740-67-0x0000000000000000-mapping.dmp

Download
memory/776-54-0x000007FEF3720000-0x000007FEF4143000-memory.dmp

Filesize
10.1MB

Download
memory/776-56-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/776-55-0x000007FEF2680000-0x000007FEF3716000-memory.dmp

Filesize
16.6MB

Download
memory/1800-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads