revengerat | 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08

General

Target

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
Size

18KB
MD5

1a506f45ee5eb2764fdf980f0fbaf7ca
SHA1

6dd081bb7b55540bcf9896c6cfbf037d73f03f4a
SHA256

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08
SHA512

ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c

Score

10^/10

revengerat anoy persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Anoy

C2

anoy.zapto.org:1155

Mutex

RV_MUTEX-rClgZblRvZwfR

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

system32.exe

pid process

2024 system32.exe

pid	process
2024	system32.exe

Drops startup file 3 IoCs

Processes:

system32.exevbc.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	system32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	system32.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\system32.exe"	system32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exesystem32.exe

description	pid	process
Token: SeDebugPrivilege	1312	39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
Token: SeDebugPrivilege	2024	system32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exesystem32.exevbc.exe

description	pid	process	target process
PID 1312 wrote to memory of 2024	1312	39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe	system32.exe
PID 1312 wrote to memory of 2024	1312	39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe	system32.exe
PID 1312 wrote to memory of 2024	1312	39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe	system32.exe
PID 2024 wrote to memory of 1212	2024	system32.exe	vbc.exe
PID 2024 wrote to memory of 1212	2024	system32.exe	vbc.exe
PID 2024 wrote to memory of 1212	2024	system32.exe	vbc.exe
PID 1212 wrote to memory of 1976	1212	vbc.exe	cvtres.exe
PID 1212 wrote to memory of 1976	1212	vbc.exe	cvtres.exe
PID 1212 wrote to memory of 1976	1212	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
"C:\Users\Admin\AppData\Local\Temp\39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tqsph-kn.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A0F.tmp"
4⤵
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9A10.tmp
Filesize
1KB

MD5
0bd46d394fc418cdf44cd94b72985088

SHA1
43e719dfe278ddf8af5490a68650aad80c5964b6

SHA256
a0ee30323306630bf4743f37a04333be18e4de6b247eab9e7c89c67f6ed37616

SHA512
0aeadd71fcfc7ba1ae48bc97eed5757fc9524e7079d9bbf2dc827706787f4102c0663a4f9bf6eb20e7d2b2eaac289abb0762ee42e78842720b92bb57deb9bb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqsph-kn.0.vb
Filesize
182B

MD5
2c2cd51aa85ac5c56fa326d885f41520

SHA1
3c675df52e0836d8531053668937387d94c7051c

SHA256
94ad5cc78e8cfc502d7cb7f082e72c12f7c69416d109892e5816301b3b754955

SHA512
dbd93e01925807ebf94ded675685d67e40de1f3c588b50a530fbde32bd60d5fccd418bb49a7317668e0213cb4b5948a47cfe63fe2c72cccb851b97c738b3a988

Download Submit
C:\Users\Admin\AppData\Local\Temp\tqsph-kn.cmdline
Filesize
196B

MD5
76a2ad81af685d9c55241773ea762870

SHA1
9efaf779309bdc54e541ba1982962079038a710f

SHA256
21bb4ebf1d5cb1958ade5776922ebf78ae6d840530f29c4aaafca8c49792e266

SHA512
9ecf14a4f8d0ad67fcec5d71f182946141d93191ff97636565c3938df641a5df82e48b9ddd1d77d87d88f10b7a825fad23990c795178b40f549208707a13db6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9A0F.tmp
Filesize
652B

MD5
da45d35e63147566a22cf668e5e13d6f

SHA1
7b2294553e7fedee456a28019cc38c979285e45f

SHA256
baa46bfc2bc81152df6239fb25f534f861d3868526e7970300d418d9c6fd8c0c

SHA512
882b0a33daafe5c14cb809233b62237403ca2894ce256ad75dfaabfa1e556ef86768b3877d3cd22f684486ca103aa3de2d2b2288f426a8bb2a87388317ac8cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe
Filesize
18KB

MD5
1a506f45ee5eb2764fdf980f0fbaf7ca

SHA1
6dd081bb7b55540bcf9896c6cfbf037d73f03f4a

SHA256
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08

SHA512
ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe
Filesize
18KB

MD5
1a506f45ee5eb2764fdf980f0fbaf7ca

SHA1
6dd081bb7b55540bcf9896c6cfbf037d73f03f4a

SHA256
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08

SHA512
ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c

Download Submit
memory/1212-62-0x0000000000000000-mapping.dmp

Download
memory/1312-55-0x000007FEF3150000-0x000007FEF41E6000-memory.dmp

Filesize
16.6MB

Download
memory/1312-56-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/1312-54-0x000007FEF4430000-0x000007FEF4E53000-memory.dmp

Filesize
10.1MB

Download
memory/1976-65-0x0000000000000000-mapping.dmp

Download
memory/2024-57-0x0000000000000000-mapping.dmp

Download
memory/2024-61-0x000007FEF3150000-0x000007FEF41E6000-memory.dmp

Filesize
16.6MB

Download
memory/2024-60-0x000007FEF4430000-0x000007FEF4E53000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads