revengerat | 308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849

General

Target

308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe
Size

59KB
MD5

574684c7708d5026e2cc84df0bf873f7
SHA1

3f2332101004dae325affce9f3867a34ac03a82a
SHA256

308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849
SHA512

beec7b8759df71d4adcf9c134a2374cc91d1ca35f84e5345d94899ca05570daeb63270f3d8f8012f06e654ee317cb626a3f26af5ac71d8dec6bc87e7b467380b

Score

10^/10

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1996-133-0x0000000000430000-0x0000000000446000-memory.dmp	revengerat
behavioral2/memory/1996-136-0x0000000000430000-0x0000000000446000-memory.dmp	revengerat
behavioral2/memory/1996-138-0x0000000000430000-0x0000000000446000-memory.dmp	revengerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe

description	pid	process	target process
PID 4112 set thread context of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4236 1996 WerFault.exe MSBuild.exe
2344 1996 WerFault.exe MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe

description pid process

Token: SeDebugPrivilege 4112 308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe

pid	pid_target	process	target process
4236	1996	WerFault.exe	MSBuild.exe
2344	1996	WerFault.exe	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe

description	pid	process	target process
PID 4112 wrote to memory of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe
PID 4112 wrote to memory of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe
PID 4112 wrote to memory of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe
PID 4112 wrote to memory of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe
PID 4112 wrote to memory of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe
PID 4112 wrote to memory of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe
PID 4112 wrote to memory of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe
PID 4112 wrote to memory of 1996	4112	308eb7c2fd6238b8194d33348051db21de2e93cda17aee8fcefe1ada21ef0849.exe	MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 196
3⤵
- Program crash
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 200
3⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1996 -ip 1996
1⤵
PID:1528

memory/1996-131-0x0000000000000000-mapping.dmp

Download
memory/1996-133-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/1996-136-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/1996-138-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/4112-130-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download
memory/4112-135-0x0000000074890000-0x0000000074E41000-memory.dmp

Filesize
5.7MB

Download