revengerat | 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

General

Target

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Size

193KB
MD5

b6c3692bfbd98dcc39a6347fa9f4fb69
SHA1

23c2cf93874bb36b5daa25f3bef46b8d93bfa046
SHA256

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769
SHA512

0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Score

10^/10

revengerat bobo2019 stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

bobo2019

C2

hushbob123.hopto.org:4951

hushbob12301.hopto.org:4951

hushbob12302.hopto.org:4951

hushbob12303.hopto.org:4951

Mutex

RV_MUTEX-XyMpzZJHOwDt

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1900-70-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1900-71-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1900-72-0x0000000000405F6E-mapping.dmp	revengerat
behavioral1/memory/1900-77-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1900-75-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Executes dropped EXE 2 IoCs

Processes:

app.exeapp.exe

pid process

592 app.exe
1900 app.exe
Drops startup file 1 IoCs

Processes:

app.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk app.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeapp.exe

pid process

1804 cmd.exe
592 app.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 592 set thread context of 1900 592 app.exe app.exe
Drops file in Program Files directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Program Files (x86)\app.exe cmd.exe
File opened for modification C:\Program Files (x86)\app.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
592	app.exe
1900	app.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk	app.exe

pid	process
1804	cmd.exe
592	app.exe

description	pid	process	target process
PID 592 set thread context of 1900	592	app.exe	app.exe

description	ioc	process
File created	C:\Program Files (x86)\app.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\app.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exeapp.exeapp.exe

description	pid	process
Token: SeDebugPrivilege	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Token: 33	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Token: SeIncBasePriorityPrivilege	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Token: SeDebugPrivilege	592	app.exe
Token: 33	592	app.exe
Token: SeIncBasePriorityPrivilege	592	app.exe
Token: SeDebugPrivilege	1900	app.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.execmd.exeapp.exe

description	pid	process	target process
PID 1648 wrote to memory of 1580	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 1648 wrote to memory of 1580	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 1648 wrote to memory of 1580	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 1648 wrote to memory of 1580	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 1648 wrote to memory of 1804	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 1648 wrote to memory of 1804	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 1648 wrote to memory of 1804	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 1648 wrote to memory of 1804	1648	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 1804 wrote to memory of 592	1804	cmd.exe	app.exe
PID 1804 wrote to memory of 592	1804	cmd.exe	app.exe
PID 1804 wrote to memory of 592	1804	cmd.exe	app.exe
PID 1804 wrote to memory of 592	1804	cmd.exe	app.exe
PID 592 wrote to memory of 1900	592	app.exe	app.exe
PID 592 wrote to memory of 1900	592	app.exe	app.exe
PID 592 wrote to memory of 1900	592	app.exe	app.exe
PID 592 wrote to memory of 1900	592	app.exe	app.exe
PID 592 wrote to memory of 1900	592	app.exe	app.exe
PID 592 wrote to memory of 1900	592	app.exe	app.exe
PID 592 wrote to memory of 1900	592	app.exe	app.exe
PID 592 wrote to memory of 1900	592	app.exe	app.exe

C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
"C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe" "C:\Program Files (x86)\app.exe"
2⤵
- Drops file in Program Files directory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Program Files (x86)\app.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804

C:\Program Files (x86)\app.exe
"C:\Program Files (x86)\app.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Program Files (x86)\app.exe
"C:\Program Files (x86)\app.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\app.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
C:\Program Files (x86)\app.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
C:\Program Files (x86)\app.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
\Program Files (x86)\app.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
\Program Files (x86)\app.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
memory/592-62-0x0000000000000000-mapping.dmp

Download
memory/592-64-0x0000000000850000-0x0000000000886000-memory.dmp

Filesize
216KB

Download
memory/1580-58-0x0000000000000000-mapping.dmp

Download
memory/1648-55-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1648-56-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/1648-57-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1648-54-0x00000000001B0000-0x00000000001E6000-memory.dmp

Filesize
216KB

Download
memory/1804-59-0x0000000000000000-mapping.dmp

Download
memory/1900-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1900-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1900-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1900-72-0x0000000000405F6E-mapping.dmp

Download
memory/1900-67-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1900-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1900-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads