revengerat | 41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a | Triage

Sharing

General

Target

41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a
Size

263KB
Sample

220708-he7qcadedq
MD5

594e681165d7f6a566cae99cf29b02ea
SHA1

d2bcd07d94be4fbbcc87df9d9e5c69340a897cc0
SHA256

41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a
SHA512

c3e720ac73e29beef0ca3f4998e9ce0d5e2784defe0401836d8f1171c10126cf16432c86e28d63bf97a78f929937d3582b7aee85f43c046e5ba2d3cab46e3f67

Score

10^/10

revengerat guest persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

18.188.125.21:4545

Mutex

RV_MUTEX

Targets

- Target
  
  41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a
- Size
  
  263KB
- MD5
  
  594e681165d7f6a566cae99cf29b02ea
- SHA1
  
  d2bcd07d94be4fbbcc87df9d9e5c69340a897cc0
- SHA256
  
  41265978129d25cb75b2523d24896a39d37273e285e165800c0bea6c2caac60a
- SHA512
  
  c3e720ac73e29beef0ca3f4998e9ce0d5e2784defe0401836d8f1171c10126cf16432c86e28d63bf97a78f929937d3582b7aee85f43c046e5ba2d3cab46e3f67
Score

10^/10

revengerat guest persistence stealer trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- RevengeRat Executable
  stealer
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

revengeratguestpersistencestealertrojan

behavioral2