revengerat | 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea

General

Target

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
Size

345KB
MD5

625c5be82cb33b45e21c521995e543f7
SHA1

acf0d26d067696b2c93015e83b3811cf96f90510
SHA256

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea
SHA512

351ee2bcfeeb91de93081fe763a20b99b0e9493db6fda8eee0de336b6a963610dd5b8160b32490c06dd53f6b1aaab1be4e8ed6da79338c57b53df7389d35cd06

Score

10^/10

revengerat ceo stealer trojan

Malware Config

Extracted

Family

revengerat

Mutex

Extracted

Family

revengerat

Botnet

CEO

C2

192.168.1.4:666

192.168.1.4:1716

netking.duckdns.org:666

netking.duckdns.org:1716

Mutex

RV_MUTEX-LuSAtYBxGgZH

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/924-67-0x0000000000560000-0x0000000000568000-memory.dmp	revengerat
behavioral1/memory/1972-71-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1972-72-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1972-73-0x0000000000405DFE-mapping.dmp	revengerat
behavioral1/memory/1972-77-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/1972-75-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Drops startup file 1 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VEOOqq.url	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

description	pid	process	target process
PID 924 set thread context of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

pid	process
924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
Token: SeDebugPrivilege	1972	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.execsc.exe

description	pid	process	target process
PID 924 wrote to memory of 960	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	csc.exe
PID 924 wrote to memory of 960	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	csc.exe
PID 924 wrote to memory of 960	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	csc.exe
PID 924 wrote to memory of 960	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	csc.exe
PID 960 wrote to memory of 1480	960	csc.exe	cvtres.exe
PID 960 wrote to memory of 1480	960	csc.exe	cvtres.exe
PID 960 wrote to memory of 1480	960	csc.exe	cvtres.exe
PID 960 wrote to memory of 1480	960	csc.exe	cvtres.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 924 wrote to memory of 1972	924	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
"C:\Users\Admin\AppData\Local\Temp\3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0fmzq3br\0fmzq3br.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF99C.tmp" "c:\Users\Admin\AppData\Local\Temp\0fmzq3br\CSC9B0A0C614BEA451592B6493C7FA747F.TMP"
3⤵
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0fmzq3br\0fmzq3br.dll
Filesize
6KB

MD5
f054d141b5548a3869eaf058e60cfbf0

SHA1
3d6d75148ef5662c3ba8f600a8f319c26aeae0b9

SHA256
717d16cb64a7327c4ee359a36dcb555ed18eb23a11b5a28f01356f62b2d81de0

SHA512
4aa342009d2142d54b6334ee8b20310d04456d1fc4ed9ab0462c474859b550522d8d7edbf09972cf14bd7ec53779e2ede28284d639ade3114256986179176c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fmzq3br\0fmzq3br.pdb
Filesize
15KB

MD5
a0752cc4b21c93602c499df2e8922f63

SHA1
c07628d33a79d5c48ef9e4590f02be9e472cf758

SHA256
aaa2f50417304733aec6cdc217febb3a73c289c120c491b66438c574c6390a75

SHA512
ce9f6574a28e0b0a40448c310e4bd84c3b7094b44194cd29982c75f6361c235abcd44a7c59ff35ff44bfedb4becc67c765f58516e8295580660e42c57693ffae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF99C.tmp
Filesize
1KB

MD5
7d50ccee7910494d096b1c63f7ba675e

SHA1
0cd092dfdb4a4199c60c36557a5bce74a998e43e

SHA256
4cdac08910e5a64ca2d6df46826750c1f5627eb6b80c45cd2c93f5abf8a50571

SHA512
816cb442c3207b3515c70a1e5bcdee3f6c0064396485e70116abde7218cce7b6e9c862874077b6ec3276befbb8692e722f847e3a99430c4847ea58ced5b50c05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0fmzq3br\0fmzq3br.0.cs
Filesize
2KB

MD5
898702ed72ed760606b16ba1b0127af4

SHA1
54def04d7ddf5c2816e6f76b032be192aea661ef

SHA256
4171994b6dd8dd4a5814d5f749041f03075d9f1e178f544804ff564d68396c1a

SHA512
41522d3986701e7e253c308dc3a904f153b943874b78d89d87f466861e2f7598a3d46edbd63aadd3f6c6bed996185584ec3f027edba3eb3a98862ac35511da4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0fmzq3br\0fmzq3br.cmdline
Filesize
312B

MD5
b760885f6c65a6fa7c9bbfaf273db71a

SHA1
f98c2ea64bb0578364ee08347b6392a4661c03d6

SHA256
3438e6d36a13219b3e601135148c505d594e8e79426957d69e92abdbcfe9dc3b

SHA512
99a309a20918c784179cb19b9e79b2fbb2a3dd2f24fe8603ea9f22dccaee355d916cb721dcf2cc9f605803e9c7a8beb008d2f33d4b9251cb2066583b438e6f3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0fmzq3br\CSC9B0A0C614BEA451592B6493C7FA747F.TMP
Filesize
1KB

MD5
968d296a9e6b9aa176260a01b5e96908

SHA1
658c5c108605bcfd6f2c55716d637154edb02289

SHA256
32ea6e6d1304a2c523a699ff12d2ecc251206d8e67af59cafae642d7678eb3ba

SHA512
08d82bb966f8e3c26fd1a9e46ae3c734ee70bbe5754d2bd729eaf93591650d8c2e9eca87efeee2d07891e8f674bf96c0a5cbb7c224898d1612fdd70ee4ccec65

Download Submit
memory/924-64-0x00000000004B0000-0x00000000004C4000-memory.dmp

Filesize
80KB

Download
memory/924-63-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/924-54-0x0000000000C20000-0x0000000000C64000-memory.dmp

Filesize
272KB

Download
memory/924-65-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/924-66-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/924-67-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/960-55-0x0000000000000000-mapping.dmp

Download
memory/1480-58-0x0000000000000000-mapping.dmp

Download
memory/1972-72-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-73-0x0000000000405DFE-mapping.dmp

Download
memory/1972-77-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1972-79-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-80-0x0000000074AE0000-0x000000007508B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads