revengerat | 3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

General

Target

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Size

193KB
MD5

b6c3692bfbd98dcc39a6347fa9f4fb69
SHA1

23c2cf93874bb36b5daa25f3bef46b8d93bfa046
SHA256

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769
SHA512

0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Score

10^/10

revengerat bobo2019 stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

bobo2019

C2

hushbob123.hopto.org:4951

hushbob12301.hopto.org:4951

hushbob12302.hopto.org:4951

hushbob12303.hopto.org:4951

Mutex

RV_MUTEX-XyMpzZJHOwDt

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2632-141-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Executes dropped EXE 3 IoCs

Processes:

app.exeapp.exeClient.exe

pid process

1696 app.exe
2632 app.exe
3376 Client.exe

pid	process
1696	app.exe
2632	app.exe
3376	Client.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exeapp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	app.exe

Drops startup file 1 IoCs

Processes:

app.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk app.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 1696 set thread context of 2632 1696 app.exe app.exe
Drops file in Program Files directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Program Files (x86)\app.exe cmd.exe
File opened for modification C:\Program Files (x86)\app.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\app.lnk	app.exe

description	pid	process	target process
PID 1696 set thread context of 2632	1696	app.exe	app.exe

description	ioc	process
File created	C:\Program Files (x86)\app.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\app.exe	cmd.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exeapp.exeapp.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Token: 33	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Token: SeIncBasePriorityPrivilege	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
Token: SeDebugPrivilege	1696	app.exe
Token: 33	1696	app.exe
Token: SeIncBasePriorityPrivilege	1696	app.exe
Token: SeDebugPrivilege	2632	app.exe
Token: SeDebugPrivilege	3376	Client.exe
Token: 33	3376	Client.exe
Token: SeIncBasePriorityPrivilege	3376	Client.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.execmd.exeapp.exeapp.exe

description	pid	process	target process
PID 3080 wrote to memory of 736	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 3080 wrote to memory of 736	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 3080 wrote to memory of 736	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 3080 wrote to memory of 952	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 3080 wrote to memory of 952	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 3080 wrote to memory of 952	3080	3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe	cmd.exe
PID 952 wrote to memory of 1696	952	cmd.exe	app.exe
PID 952 wrote to memory of 1696	952	cmd.exe	app.exe
PID 952 wrote to memory of 1696	952	cmd.exe	app.exe
PID 1696 wrote to memory of 2632	1696	app.exe	app.exe
PID 1696 wrote to memory of 2632	1696	app.exe	app.exe
PID 1696 wrote to memory of 2632	1696	app.exe	app.exe
PID 1696 wrote to memory of 2632	1696	app.exe	app.exe
PID 1696 wrote to memory of 2632	1696	app.exe	app.exe
PID 1696 wrote to memory of 2632	1696	app.exe	app.exe
PID 1696 wrote to memory of 2632	1696	app.exe	app.exe
PID 2632 wrote to memory of 3376	2632	app.exe	Client.exe
PID 2632 wrote to memory of 3376	2632	app.exe	Client.exe
PID 2632 wrote to memory of 3376	2632	app.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe
"C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769.exe" "C:\Program Files (x86)\app.exe"
2⤵
- Drops file in Program Files directory
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Program Files (x86)\app.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Program Files (x86)\app.exe
"C:\Program Files (x86)\app.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files (x86)\app.exe
"C:\Program Files (x86)\app.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\app.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
C:\Program Files (x86)\app.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
C:\Program Files (x86)\app.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\app.exe.log
Filesize
706B

MD5
f8bcaf312de8591707436c1dcebba8e4

SHA1
a1269828e5f644601622f4a7a611aec8f2eda0b2

SHA256
f0f5a90777c70cdceea22bd66b33c1703a318acc45cb012d0b01585a1ac12b29

SHA512
3a714f5950584abbc94a27bbd4623bfc5acb1135c8c9fca4d74e70c8481b71ace7dbc1dfbf101dd07c76a050acfb4852f31dd57fc7ae196382336c5edc9e6413

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
193KB

MD5
b6c3692bfbd98dcc39a6347fa9f4fb69

SHA1
23c2cf93874bb36b5daa25f3bef46b8d93bfa046

SHA256
3ee2a25d9a6d78d9c9484bd95373bb5a0eb98f5f14d4981e9c572acf7f2ff769

SHA512
0c2ca210ad2b90219227629b6e0009c920b96124cc9d5c00379dd97dadca24abccd45503c177cc5a400ca7f27ce255943cf72f01810576e862d02881cc8b33a7

Download Submit
memory/736-134-0x0000000000000000-mapping.dmp

Download
memory/952-135-0x0000000000000000-mapping.dmp

Download
memory/1696-139-0x0000000006B50000-0x0000000006BEC000-memory.dmp

Filesize
624KB

Download
memory/1696-136-0x0000000000000000-mapping.dmp

Download
memory/2632-140-0x0000000000000000-mapping.dmp

Download
memory/2632-141-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2632-144-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/3080-131-0x00000000000C0000-0x00000000000F6000-memory.dmp

Filesize
216KB

Download
memory/3080-133-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/3080-132-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/3376-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads