revengerat | 39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08

General

Target

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
Size

18KB
MD5

1a506f45ee5eb2764fdf980f0fbaf7ca
SHA1

6dd081bb7b55540bcf9896c6cfbf037d73f03f4a
SHA256

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08
SHA512

ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c

Score

10^/10

revengerat anoy persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Anoy

C2

anoy.zapto.org:1155

Mutex

RV_MUTEX-rClgZblRvZwfR

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

system32.exe

pid process

368 system32.exe

pid	process
368	system32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe

Drops startup file 3 IoCs

Processes:

system32.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	system32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	system32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\system32.exe"	system32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exesystem32.exe

description	pid	process
Token: SeDebugPrivilege	4972	39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
Token: SeDebugPrivilege	368	system32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exesystem32.exevbc.exe

description	pid	process	target process
PID 4972 wrote to memory of 368	4972	39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe	system32.exe
PID 4972 wrote to memory of 368	4972	39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe	system32.exe
PID 368 wrote to memory of 1940	368	system32.exe	vbc.exe
PID 368 wrote to memory of 1940	368	system32.exe	vbc.exe
PID 1940 wrote to memory of 2524	1940	vbc.exe	cvtres.exe
PID 1940 wrote to memory of 2524	1940	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe
"C:\Users\Admin\AppData\Local\Temp\39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b4wutgih.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE59C59C1A6D94C11BAF1A5BD32416037.TMP"
4⤵
PID:2524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp
Filesize
1KB

MD5
847e1bad422191d6e2a0310ec5ca4215

SHA1
90ffbf6a16285729595ed9581115651a7cb2ab89

SHA256
0e13d361db1767aa74477e3c82949f275470de9a9d192ba700c3a0b33431cdb1

SHA512
baa4fd215e1130fa574dc4c519371bf7d96aa55fb95fcc9e553cbf79ed4d4ed3c60e95c35178e91332d973b7e71f6741c73df35ce2e06a05597ea34cf33e757f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4wutgih.0.vb
Filesize
182B

MD5
2c2cd51aa85ac5c56fa326d885f41520

SHA1
3c675df52e0836d8531053668937387d94c7051c

SHA256
94ad5cc78e8cfc502d7cb7f082e72c12f7c69416d109892e5816301b3b754955

SHA512
dbd93e01925807ebf94ded675685d67e40de1f3c588b50a530fbde32bd60d5fccd418bb49a7317668e0213cb4b5948a47cfe63fe2c72cccb851b97c738b3a988

Download Submit
C:\Users\Admin\AppData\Local\Temp\b4wutgih.cmdline
Filesize
196B

MD5
495cd9cfa3d17cf52096e4080d9260e6

SHA1
a456bded897cceaffbf12e442a4dfb87fc57f0a0

SHA256
46785fc0d8fd8554011b8ca2bf5f72b779e9abc46285f95cc438baad65612ba5

SHA512
895d4bfda9bcfb18514c0961edf9a2c0ca8609a0948610d641777b49e0792b59e678470d37b30b5c3d7b544bd6836fd75911354308b5fdab940e0d548298c451

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE59C59C1A6D94C11BAF1A5BD32416037.TMP
Filesize
652B

MD5
da45d35e63147566a22cf668e5e13d6f

SHA1
7b2294553e7fedee456a28019cc38c979285e45f

SHA256
baa46bfc2bc81152df6239fb25f534f861d3868526e7970300d418d9c6fd8c0c

SHA512
882b0a33daafe5c14cb809233b62237403ca2894ce256ad75dfaabfa1e556ef86768b3877d3cd22f684486ca103aa3de2d2b2288f426a8bb2a87388317ac8cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe
Filesize
18KB

MD5
1a506f45ee5eb2764fdf980f0fbaf7ca

SHA1
6dd081bb7b55540bcf9896c6cfbf037d73f03f4a

SHA256
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08

SHA512
ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\system32.exe
Filesize
18KB

MD5
1a506f45ee5eb2764fdf980f0fbaf7ca

SHA1
6dd081bb7b55540bcf9896c6cfbf037d73f03f4a

SHA256
39ca0763bd03a8d005101682a0cc6fec9bbef0549effe79a1405eab59635ef08

SHA512
ed99e3c1c64942af342da0e400463fae33c17496c4fe8ce9d33d26546eb221066b556df24b38d6659d49910d2c28fcde1fc67f7cd8c38266ab00148c85eeda7c

Download Submit
memory/368-131-0x0000000000000000-mapping.dmp

Download
memory/368-134-0x00007FFE2D420000-0x00007FFE2DE56000-memory.dmp

Filesize
10.2MB

Download
memory/1940-135-0x0000000000000000-mapping.dmp

Download
memory/2524-138-0x0000000000000000-mapping.dmp

Download
memory/4972-130-0x00007FFE2D420000-0x00007FFE2DE56000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads