revengerat | 3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7

General

Target

3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe
Size

17KB
MD5

1098d8e6429779b56a6b6a542cd3bc11
SHA1

73f6b9c7b6cf16d2abdf3a6ec06b0ac2aeb62af5
SHA256

3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7
SHA512

825a655df4440f3f4a072fe0ff4ab5d237cae5f3485d3bd51ce8053bf336aa4286f0e16d796e83c40c99d236cbe08c54b6914e34a5b307968d3d3fb88aa977a0

Score

10^/10

revengerat the new stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

The New

C2

wowhu.zapto.org:5550

wowhu.zapto.org:5551

wowhu.zapto.org:5552

wowhu.zapto.org:5553

wowhu.zapto.org:5554

wowhu.zapto.org:5555

haxballfc.ddns.net:5550

haxballfc.ddns.net:5551

haxballfc.ddns.net:5552

haxballfc.ddns.net:5553

haxballfc.ddns.net:5554

haxballfc.ddns.net:5555

linkshosts.ddns.net:5550

linkshosts.ddns.net:5551

linkshosts.ddns.net:5552

linkshosts.ddns.net:5553

linkshosts.ddns.net:5554

linkshosts.ddns.net:5555

gaminghost.ddns.net:5550

gaminghost.ddns.net:5551

Mutex

RV_MUTEX-IPcYBGldGoFYE

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

winhost.exe

pid process

3564 winhost.exe

pid	process
3564	winhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe

Drops startup file 3 IoCs

Processes:

winhost.exe3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	winhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe	3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exewinhost.exe

description	pid	process
Token: SeDebugPrivilege	3120	3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe
Token: SeDebugPrivilege	3564	winhost.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe

description	pid	process	target process
PID 3120 wrote to memory of 3564	3120	3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe	winhost.exe
PID 3120 wrote to memory of 3564	3120	3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe	winhost.exe

C:\Users\Admin\AppData\Local\Temp\3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe
"C:\Users\Admin\AppData\Local\Temp\3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:3564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe
Filesize
17KB

MD5
1098d8e6429779b56a6b6a542cd3bc11

SHA1
73f6b9c7b6cf16d2abdf3a6ec06b0ac2aeb62af5

SHA256
3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7

SHA512
825a655df4440f3f4a072fe0ff4ab5d237cae5f3485d3bd51ce8053bf336aa4286f0e16d796e83c40c99d236cbe08c54b6914e34a5b307968d3d3fb88aa977a0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe
Filesize
17KB

MD5
1098d8e6429779b56a6b6a542cd3bc11

SHA1
73f6b9c7b6cf16d2abdf3a6ec06b0ac2aeb62af5

SHA256
3f5d94ceb5367b224386438511aa78c245d977846a71fcd8ffa6c6470d1b3fe7

SHA512
825a655df4440f3f4a072fe0ff4ab5d237cae5f3485d3bd51ce8053bf336aa4286f0e16d796e83c40c99d236cbe08c54b6914e34a5b307968d3d3fb88aa977a0

Download Submit
memory/3120-130-0x000000001BB10000-0x000000001C546000-memory.dmp

Filesize
10.2MB

Download
memory/3564-131-0x0000000000000000-mapping.dmp

Download
memory/3564-134-0x000000001C300000-0x000000001CD36000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads