revengerat | 3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea

General

Target

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
Size

345KB
MD5

625c5be82cb33b45e21c521995e543f7
SHA1

acf0d26d067696b2c93015e83b3811cf96f90510
SHA256

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea
SHA512

351ee2bcfeeb91de93081fe763a20b99b0e9493db6fda8eee0de336b6a963610dd5b8160b32490c06dd53f6b1aaab1be4e8ed6da79338c57b53df7389d35cd06

Score

10^/10

revengerat ceo stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

CEO

C2

192.168.1.4:666

192.168.1.4:1716

netking.duckdns.org:666

netking.duckdns.org:1716

Mutex

RV_MUTEX-LuSAtYBxGgZH

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4588-142-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Drops startup file 1 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VEOOqq.url	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

description	pid	process	target process
PID 4528 set thread context of 4588	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

pid	process
4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
Token: SeDebugPrivilege	4588	RegAsm.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.execsc.exe

description	pid	process	target process
PID 4528 wrote to memory of 1532	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	csc.exe
PID 4528 wrote to memory of 1532	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	csc.exe
PID 4528 wrote to memory of 1532	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	csc.exe
PID 1532 wrote to memory of 4640	1532	csc.exe	cvtres.exe
PID 1532 wrote to memory of 4640	1532	csc.exe	cvtres.exe
PID 1532 wrote to memory of 4640	1532	csc.exe	cvtres.exe
PID 4528 wrote to memory of 4588	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 4528 wrote to memory of 4588	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 4528 wrote to memory of 4588	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 4528 wrote to memory of 4588	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 4528 wrote to memory of 4588	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 4528 wrote to memory of 4588	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe
PID 4528 wrote to memory of 4588	4528	3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe
"C:\Users\Admin\AppData\Local\Temp\3cd3b7ca84a4c44fa8080b1c7df713f6de0a9d36644732665625590e919db7ea.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB059.tmp" "c:\Users\Admin\AppData\Local\Temp\jdalg1fk\CSCAC25AE9DD69E4C6FB2CB234DD6299D7A.TMP"
3⤵
PID:4640

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB059.tmp
Filesize
1KB

MD5
661dfb464d75e3b5779eda07abaac86e

SHA1
551ca50088c651b2ff961af43aca8fa34ff885d8

SHA256
d4caeba836abcde9b16470086834847515d1692379188bcd90eb12fe8db83df9

SHA512
9e02b273ce30736122aadedc2859aeef8d9a2ee75decd17b45fa24a827c378d892885d6dc8423eae2620365c239a02e4d72f1e0b12721e8d334d7a04747efd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.dll
Filesize
6KB

MD5
a8f440271f13c3ca30974609931bd3db

SHA1
418cb63f5591542527781c5771be95b45cab538d

SHA256
9de4f1f37c94c3cba39f5134dd1c46b71f0ad02b6f60e61bbf7b73b9521f46d3

SHA512
19ed717670a2c225b922809e13671a7a5079f0fe12a2c29a06100cf5f76d2787db562cd11dd1fc73cc3b1bd9d20ff974badf88595def012453d8d2a70e1a07a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.pdb
Filesize
15KB

MD5
d64018ab5d8306ba25345f4ceb6d244a

SHA1
4bdadad5d51a0125d2e83397558950504863d9e5

SHA256
97b370b2397082be7b6e562d70f0fa327d9dad60b578c0292f5527afc9a18eec

SHA512
88ca064c6c56c0a80fcc5824eec7054d3505d2d86ec7112bc97b11c3c2068c23148ccfb34c0fa73e73a65f4419a7a3d5ba1d8aa2ae7696d2d6c0151211c3d201

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jdalg1fk\CSCAC25AE9DD69E4C6FB2CB234DD6299D7A.TMP
Filesize
1KB

MD5
6eae8ca50c27fe18c4b5af2584aecf42

SHA1
8ba11aed44b5a959f443ef6af3e2005da3a57c8a

SHA256
a5c373ef7a8ef9d5a3b20f2a47b0dc5508b203fdcd72444d622ce50743096744

SHA512
744418c948dcee775587ea89793a8b609d5d355aff3c6f0c841f65e8278d06155301e031778b28d657ff27f28005bd954aed4486855355cd96f49e8eaca5c512

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.0.cs
Filesize
2KB

MD5
898702ed72ed760606b16ba1b0127af4

SHA1
54def04d7ddf5c2816e6f76b032be192aea661ef

SHA256
4171994b6dd8dd4a5814d5f749041f03075d9f1e178f544804ff564d68396c1a

SHA512
41522d3986701e7e253c308dc3a904f153b943874b78d89d87f466861e2f7598a3d46edbd63aadd3f6c6bed996185584ec3f027edba3eb3a98862ac35511da4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jdalg1fk\jdalg1fk.cmdline
Filesize
312B

MD5
5c2fd49f8df7350919b2b51b20296471

SHA1
05fa831b6ae714205b4a78ebafb23c7e34e50273

SHA256
3b9ea422592fe0aa8b51218e037e7550ce65d494dfab4e7708919c1a391fea11

SHA512
207027fba2a19ea9e815e21601858e7789eb9cc435abf94f4caf664c526ea65c9440b4f1f05c5e2ad5b441a506fb1f3d70a54f8c74ca177bfdb86c8c24efec78

Download Submit
memory/1532-131-0x0000000000000000-mapping.dmp

Download
memory/4528-130-0x0000000000580000-0x00000000005C4000-memory.dmp

Filesize
272KB

Download
memory/4528-139-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/4528-140-0x0000000005460000-0x00000000054FC000-memory.dmp

Filesize
624KB

Download
memory/4588-141-0x0000000000000000-mapping.dmp

Download
memory/4588-142-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4588-143-0x0000000071250000-0x0000000071801000-memory.dmp

Filesize
5.7MB

Download
memory/4588-144-0x0000000071250000-0x0000000071801000-memory.dmp

Filesize
5.7MB

Download
memory/4640-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads