revengerat | 1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-07-2022 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
Size

3.4MB
MD5

7ddaf6c0ccdf99faced8f866a3670206
SHA1

08f5844c6413dbcc5d1b765247c93d4c13c97914
SHA256

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe
SHA512

3321c6c6f9982cd179597dfa7b0612b81358b594a7e216a1bfde0dd638d4324a90b9f373f5be9681de9324c363193dd7c5fd565cc57e7766ffe1fb077b4bdf02

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 5 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Server.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Server.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	revengerat

Executes dropped EXE 3 IoCs

Processes:

TempDev.exeServer.exesvchost.exe

pid process

1468 TempDev.exe
4808 Server.exe
2212 svchost.exe

pid	process
1468	TempDev.exe
4808	Server.exe
2212	svchost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exeTempDev.exeServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	TempDev.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Server.exe

Drops startup file 6 IoCs

Processes:

svchost.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.js	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	vbc.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

4544 vlc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

4544 vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Server.exeAUDIODG.EXEvlc.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4808	Server.exe
Token: 33	5008	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5008	AUDIODG.EXE
Token: 33	4544	vlc.exe
Token: SeIncBasePriorityPrivilege	4544	vlc.exe
Token: SeDebugPrivilege	2212	svchost.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

vlc.exe

pid	process
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe
4544	vlc.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

vlc.exe

pid process

4544 vlc.exe
4544 vlc.exe
4544 vlc.exe
4544 vlc.exe
4544 vlc.exe
4544 vlc.exe
4544 vlc.exe
4544 vlc.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vlc.exe

pid process

4544 vlc.exe
4544 vlc.exe
4544 vlc.exe
4544 vlc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exeTempDev.exeServer.exesvchost.exevbc.exe

description	pid	process	target process
PID 4232 wrote to memory of 1468	4232	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	TempDev.exe
PID 4232 wrote to memory of 1468	4232	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	TempDev.exe
PID 4232 wrote to memory of 1468	4232	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	TempDev.exe
PID 4232 wrote to memory of 4544	4232	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	vlc.exe
PID 4232 wrote to memory of 4544	4232	1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe	vlc.exe
PID 1468 wrote to memory of 4808	1468	TempDev.exe	Server.exe
PID 1468 wrote to memory of 4808	1468	TempDev.exe	Server.exe
PID 1468 wrote to memory of 4808	1468	TempDev.exe	Server.exe
PID 4808 wrote to memory of 2212	4808	Server.exe	svchost.exe
PID 4808 wrote to memory of 2212	4808	Server.exe	svchost.exe
PID 4808 wrote to memory of 2212	4808	Server.exe	svchost.exe
PID 2212 wrote to memory of 2276	2212	svchost.exe	vbc.exe
PID 2212 wrote to memory of 2276	2212	svchost.exe	vbc.exe
PID 2212 wrote to memory of 2276	2212	svchost.exe	vbc.exe
PID 2276 wrote to memory of 1932	2276	vbc.exe	cvtres.exe
PID 2276 wrote to memory of 1932	2276	vbc.exe	cvtres.exe
PID 2276 wrote to memory of 1932	2276	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe
"C:\Users\Admin\AppData\Local\Temp\1b4a335db0e6efd5b56004bba323afd71d8db9fa43b4f6650a0bc791d87e1dbe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\TempDev.exe
"C:\Users\Admin\AppData\Local\TempDev.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s69wevbx.cmdline"
5⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD36D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc149E929A6614E71B653BC319BE550E9.TMP"
6⤵
PID:1932

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Tempskype.mp4"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x450 0x328
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempDev.exe
Filesize
191KB

MD5
b077a236e6cb4f710626b9ef56df8e8a

SHA1
ab7b6f4b9af0919f55dfb64a090630c4e7b191fd

SHA256
65a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8

SHA512
88bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400

Download Submit
C:\Users\Admin\AppData\Local\TempDev.exe
Filesize
191KB

MD5
b077a236e6cb4f710626b9ef56df8e8a

SHA1
ab7b6f4b9af0919f55dfb64a090630c4e7b191fd

SHA256
65a6a2d2702b3a6e81ad3ee7c3bcc7a40d99fe16c166bd554bfa07c1b7e29ba8

SHA512
88bba2ee188e5b10377e123fbfb178f15987b9341b750fda8daa15b9d27e9c3257c8dcdea700631c5c3325da466964ea439bbb5f847ddceb2f068b989ffa3400

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD36D.tmp
Filesize
1KB

MD5
3b3ab957ac7416711836ffa8d660239a

SHA1
ee20fed5e6a7b92659cca051cbab96cfbdcc9d7a

SHA256
e13dbc388a28e7a904df00db2570c2a3627602dea860c89b668663f79840a318

SHA512
6029a490dcfa0679d5ec9fbb965dbdfa8c1a97525fadefbc87c0932710fed46144403a9eea0ba0085f804ee6f8e219365f808aca9d4fb6dd72227ffe26531f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\s69wevbx.0.vb
Filesize
179B

MD5
89923fa6e5d214f70f33024fbcec55da

SHA1
f3cdb3b25a010fd74381fb7dc2a51fa7381ac168

SHA256
fba87273861c2b2f7b37784013bdf4de9694e303151b46b48a0a8e9b9fe0be0e

SHA512
54d829ff58eb032612e39e3853516d2a074a1e213485d07242807a01633457560cc57e0860857fb09d14324415924bcfffa82f87464af2857397d9557f4125d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\s69wevbx.cmdline
Filesize
195B

MD5
7d6f714cdee4c68c9085f626ad515fae

SHA1
7f4328aded9400f56c372eaeb2f1c9693ea64ccc

SHA256
2731b32d363b39fca78c30793aa557cc9f3e53aaf40bea6aaa64cc070bfce16a

SHA512
47c75dc511f5a3ddac528c52e166eaf067b92c75f7032ee890a9e85d271320260eefd82d1ae63801bb5c692d5e499e785b45c812a4eb8c920245c3bd8687ceb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc149E929A6614E71B653BC319BE550E9.TMP
Filesize
644B

MD5
2a1292826a47da43a7f430c4fd2022ec

SHA1
aa05c2f60651842c7b16a741169945f611c5fc64

SHA256
5cb8cedbc321cc29521008679cc737965557e4c8f3a787d7679939ffd6c21b5b

SHA512
4b90c6b158175a7ec812f97f106bf50e9d7a2b7e96f01aa23a3bd4561a6e8e6a43b29914b1bc0b92773e585add738026910cd9df8359d7c0d4be08319dc7636a

Download Submit
C:\Users\Admin\AppData\Local\Tempskype.mp4
Filesize
3.2MB

MD5
c964e27a154347bfd7ec916ab7d3013b

SHA1
f18253fbf190248dbcf27724223252523bf38922

SHA256
ef82ac9c6ea1141b85dfe6ecf24392046f54b505d71da9c4547aeaada5878447

SHA512
b9e17b0243c486d76df0c472126fd201174dbf3cc2f45adfea0c9227493dec6774fdfa8d2018cdd4280a91af934f43ea073b07210ed84dcf84df8b06cd998627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
53KB

MD5
ee2798ed9616f341959ffa8b191c012f

SHA1
060ee139042e6e45e5faf38c826e8ae019d785a2

SHA256
f7a76d4cfa1b187a48d34e497f4defed10e11962d8cf138fa7ab8268e0c32de4

SHA512
ef93efd176632a8c5fe88e6da05693512169fd13f2e42122b01f7d3bd0fd0e4bd629b274f6a600a92b0d64d1243b514c91f5a85881e5bda3c6f9f682a6c2c7e6

Download Submit
memory/1468-142-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/1468-131-0x0000000000000000-mapping.dmp

Download
memory/1468-140-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/1932-154-0x0000000000000000-mapping.dmp

Download
memory/2212-144-0x0000000000000000-mapping.dmp

Download
memory/2212-148-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/2212-149-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/2276-150-0x0000000000000000-mapping.dmp

Download
memory/4232-135-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4232-130-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4544-134-0x0000000000000000-mapping.dmp

Download
memory/4808-141-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4808-137-0x0000000000000000-mapping.dmp

Download
memory/4808-147-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download
memory/4808-143-0x00000000747F0000-0x0000000074DA1000-memory.dmp

Filesize
5.7MB

Download