revengerat | 370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878

General

Target

370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe
Size

34KB
MD5

8223ed91a842abd590bf94d3547648ca
SHA1

16911011bfd074c1e94feedf3099b7588bf64772
SHA256

370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878
SHA512

fff0c118ee8c2d32e88587d485b5ff8c2a67c516d4926fb84af4e99eacd7f8fb34e0732fb536bf51efd4ccc7554c45044e5c5945720700bd8f8ba8d9b2a29a1e

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

bdder2004.myddns.me:9999

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1880-57-0x0000000000940000-0x000000000094A000-memory.dmp	revengerat

Drops startup file 1 IoCs

Processes:

vbc.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe

description pid process

Token: SeDebugPrivilege 1880 370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1880	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exevbc.exe

description	pid	process	target process
PID 1880 wrote to memory of 828	1880	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe	vbc.exe
PID 1880 wrote to memory of 828	1880	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe	vbc.exe
PID 1880 wrote to memory of 828	1880	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe	vbc.exe
PID 1880 wrote to memory of 828	1880	370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe	vbc.exe
PID 828 wrote to memory of 1224	828	vbc.exe	cvtres.exe
PID 828 wrote to memory of 1224	828	vbc.exe	cvtres.exe
PID 828 wrote to memory of 1224	828	vbc.exe	cvtres.exe
PID 828 wrote to memory of 1224	828	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe
"C:\Users\Admin\AppData\Local\Temp\370be7daedd5d09002bd08ef0195a783d367672399c081c1053f36028191b878.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l1etyt55\l1etyt55.cmdline"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcECB3CDDB81A24992869EB1B2503E3BE0.TMP"
3⤵
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5E18.tmp
Filesize
1KB

MD5
1a0841bbc9a46a79805a785650f44495

SHA1
7f8178bcd6f61ec788f09b768335f1a0f301c52f

SHA256
9d7e0b3ace1c251c2e40f1f00247be03b244681f8f35a0e2508b47ecc68e0d4d

SHA512
9dcff9afef120f40d45a317207da8a8a9207aa2235422eb3438ad310d60d32052c7a6f812ad2c8cd4b7cdd304b8d1fb5764a80890bf0839bab577ad8469966da

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1etyt55\l1etyt55.0.vb
Filesize
211B

MD5
8bf1f067bb325b1661d32546c57e8ce6

SHA1
3e993c7fcf91fc17c78a5c8e23b48bd2d285c32e

SHA256
348f4579b19f45c9c8a4bd1434a4641a775b728a17988d850f9f18793aa4149d

SHA512
80b393f2e12f48c962bddaf34d7715af9a4deaf7c535f9ebd006033c5376395d4bf560be06a942a26ee4d9d5e99ab7bddbe72b4546ea804c4f0110bd7eeb00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1etyt55\l1etyt55.cmdline
Filesize
203B

MD5
0f4ad9dcf383b7952954f7e3d1f0d8ab

SHA1
f00e08fa46d9a726e95205c40675540f79cbe63a

SHA256
4413aa6d40a6944e89f965c02de776e2fd4d49cd90489c023652b2da0a9ade59

SHA512
4b57f0048aaadced9cb0b65cb21d723606757b4908bb2cb389d2d1a66dd495b774ec737f22c2a5a27654c836549b94f8f6a35fbbfedaa3d8c0aec5d48492f4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcECB3CDDB81A24992869EB1B2503E3BE0.TMP
Filesize
1KB

MD5
e9144225655a1177485a6238f397718e

SHA1
0618d989814312c38b8005fc469222f891470642

SHA256
f2ff3d3919bf3120bd18978b0225c56b53eec3a645493f7fe08344671cacb21d

SHA512
392b9684bc1c0d054a397bb8ed54bc682a59ea6c1c12abad5d70ec2f0065afec4645cae8c2672ec4571d5763397092388b944cd5c7582a4aa685ecd4e3a0c2a4

Download Submit
memory/828-59-0x0000000000000000-mapping.dmp

Download
memory/1224-62-0x0000000000000000-mapping.dmp

Download
memory/1880-54-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/1880-55-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/1880-56-0x0000000004C65000-0x0000000004C76000-memory.dmp

Filesize
68KB

Download
memory/1880-57-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/1880-58-0x0000000004C65000-0x0000000004C76000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing