revengerat | 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118

General

Target

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
Size

819KB
MD5

5b9dd49ffe63a9cc638f28383cacac8f
SHA1

6ea781eb54e023b9dc06599be6349cb7c7eb8a37
SHA256

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118
SHA512

abdb1b0f3b18c8a85b5b3bd7dced382408cf0f37aa47dfc622546b793e17f5629f475666c399e0eafbc16c94368b1a727e6bdbaf104f00df2b9e04910662a36f

Score

10^/10

revengerat babayaga persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

BABAYAGA

C2

condor777.chickenkiller.com:1604

Mutex

EZlNApdygPhSv

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2028-58-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/2028-59-0x0000000000405DEE-mapping.dmp	revengerat
behavioral1/memory/2028-61-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat
behavioral1/memory/2028-63-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\rxXxwFIf\\uIDSYFqn.exe"	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

description	pid	process	target process
PID 1312 set thread context of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

pid	process
1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regasm.exe

description pid process

Token: SeDebugPrivilege 2028 regasm.exe

description	pid	process
Token: SeDebugPrivilege	2028	regasm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

description	pid	process	target process
PID 1312 wrote to memory of 960	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	splwow64.exe
PID 1312 wrote to memory of 960	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	splwow64.exe
PID 1312 wrote to memory of 960	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	splwow64.exe
PID 1312 wrote to memory of 960	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	splwow64.exe
PID 1312 wrote to memory of 2044	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2044	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2044	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2044	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2044	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2044	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2044	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 1312 wrote to memory of 2028	1312	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe

C:\Users\Admin\AppData\Local\Temp\4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
"C:\Users\Admin\AppData\Local\Temp\4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:960

C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
2⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-55-0x0000000000000000-mapping.dmp

Download
memory/960-56-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/1312-54-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1312-57-0x00000000034E0000-0x000000000363C000-memory.dmp

Filesize
1.4MB

Download
memory/2028-58-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2028-59-0x0000000000405DEE-mapping.dmp

Download
memory/2028-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2028-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2028-65-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-66-0x0000000074520000-0x0000000074ACB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads