revengerat | 4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118

General

Target

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
Size

819KB
MD5

5b9dd49ffe63a9cc638f28383cacac8f
SHA1

6ea781eb54e023b9dc06599be6349cb7c7eb8a37
SHA256

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118
SHA512

abdb1b0f3b18c8a85b5b3bd7dced382408cf0f37aa47dfc622546b793e17f5629f475666c399e0eafbc16c94368b1a727e6bdbaf104f00df2b9e04910662a36f

Score

10^/10

revengerat babayaga persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

BABAYAGA

C2

condor777.chickenkiller.com:1604

Mutex

EZlNApdygPhSv

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2268-133-0x0000000000400000-0x0000000000408000-memory.dmp	revengerat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rxXxwFIf\ = "C:\\rxXxwFIf\\uIDSYFqn.exe"	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
Key created	\Registry\User\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

description	pid	process	target process
PID 3316 set thread context of 2268	3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

pid	process
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regasm.exe

description pid process

Token: SeDebugPrivilege 2268 regasm.exe

description	pid	process
Token: SeDebugPrivilege	2268	regasm.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe

description	pid	process	target process
PID 3316 wrote to memory of 2268	3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 3316 wrote to memory of 2268	3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 3316 wrote to memory of 2268	3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 3316 wrote to memory of 2268	3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe
PID 3316 wrote to memory of 2268	3316	4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe	regasm.exe

C:\Users\Admin\AppData\Local\Temp\4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe
"C:\Users\Admin\AppData\Local\Temp\4322f3a9121766619306d7b91f2620880d40d038350f924391cc9f0fb38b1118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2268-132-0x0000000000000000-mapping.dmp

Download
memory/2268-133-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2268-135-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/2268-136-0x00000000745E0000-0x0000000074B91000-memory.dmp

Filesize
5.7MB

Download
memory/3316-130-0x0000000002560000-0x0000000002655000-memory.dmp

Filesize
980KB

Download
memory/3316-131-0x0000000002560000-0x0000000002655000-memory.dmp

Filesize
980KB

Download
memory/3316-134-0x0000000002560000-0x0000000002655000-memory.dmp

Filesize
980KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads