revengerat | e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe
Size

81KB
MD5

f44f71fbbb725def604dc7681163d7c3
SHA1

a270d1637bb509f72de959461286421ace9cc7e7
SHA256

e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf
SHA512

4c366b0162f3949e5c62c744d4fd62d43dc8e07f9177c2bd25484ea9e43d714ddf46ff5af5192d7dacad04fd826d59a55ed2871dd318b307333abfcaa0edfd36

Score

10^/10

revengerat paulinhaaa stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

PAULINHAAA

4099.ddns.net:1515

popup.duckdns.org:1515

Mutex

RV_MUTEX-NNHuiGGjjtnxD

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1944-55-0x00000000003F0000-0x00000000003F8000-memory.dmp	revengerat

Drops startup file 1 IoCs

Processes:

e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OFFICEYO0049.URL	e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe

description pid process

Token: SeDebugPrivilege 1944 e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe

description	pid	process
Token: SeDebugPrivilege	1944	e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe

C:\Users\Admin\AppData\Local\Temp\e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe
"C:\Users\Admin\AppData\Local\Temp\e80c263898c20c3312264ecb17dc37e3752562233f99c55bddd7fe2fc1cecbbf.exe"
1⤵
- Drops startup file
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1944-54-0x0000000000A80000-0x0000000000A9A000-memory.dmp

Filesize
104KB

Download
memory/1944-55-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download