revengerat | 7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2

General

Target

7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe
Size

17KB
MD5

3e2021ca808317e1eb7c2e0a0c8ae009
SHA1

713c6d2139f0f0a00b911d2b3ac2a5cdda08995b
SHA256

7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2
SHA512

73e64d3adf64310ee56d4c2774cc318fae633e1cb3f80df15436a37c4a8185ab881a3906ec99c360f8a8fa3e8341c06898f26233ffe6462eb708947bc8ef9371

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

dnstext.publicvm.com:111

Mutex

RV_MUTEX-DxjEexVoqqNL

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\C.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

C.exe

pid process

1672 C.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

C.exe

description pid process

Token: SeDebugPrivilege 1672 C.exe

pid	process
1672	C.exe

description	pid	process
Token: SeDebugPrivilege	1672	C.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe

description	pid	process	target process
PID 2024 wrote to memory of 1672	2024	7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe	C.exe
PID 2024 wrote to memory of 1672	2024	7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe	C.exe
PID 2024 wrote to memory of 1672	2024	7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe	C.exe

C:\Users\Admin\AppData\Local\Temp\7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe
"C:\Users\Admin\AppData\Local\Temp\7dcf9edbb6c768e78ac0f21c2096f64ae4a2502b687435b578cc2a1a828384a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\C.exe
"C:\Users\Admin\AppData\Local\Temp\C.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C.exe
Filesize
16KB

MD5
076830ba20c76c34a86002ca274eb7e1

SHA1
01ff5288ac557d5f05941f407d59ccec137c2b50

SHA256
bdd3be1ad38415332fff82064cf84f0753662939481b358c815fe40334a5c5cc

SHA512
700d48de064b08288d49abefb34145b9ccab2518cae4f879e47c9749bf928f8409d049260259cf25c356bb769bd1d9954880d02cc9a279c57c230fa72f80ebf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\C.exe
Filesize
16KB

MD5
076830ba20c76c34a86002ca274eb7e1

SHA1
01ff5288ac557d5f05941f407d59ccec137c2b50

SHA256
bdd3be1ad38415332fff82064cf84f0753662939481b358c815fe40334a5c5cc

SHA512
700d48de064b08288d49abefb34145b9ccab2518cae4f879e47c9749bf928f8409d049260259cf25c356bb769bd1d9954880d02cc9a279c57c230fa72f80ebf8

Download Submit
memory/1672-56-0x0000000000000000-mapping.dmp

Download
memory/1672-59-0x000007FEF4FD0000-0x000007FEF59F3000-memory.dmp

Filesize
10.1MB

Download
memory/1672-60-0x000007FEF3410000-0x000007FEF44A6000-memory.dmp

Filesize
16.6MB

Download
memory/2024-54-0x00000000013B0000-0x00000000013BA000-memory.dmp

Filesize
40KB

Download
memory/2024-55-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing