revengerat | 4f70e89683eb246f6f8e776eb02b4ba43acdd378bb9071182ab18174b2b6fba2

Analysis

max time kernel
126s
max time network
105s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
19-07-2022 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

microsoft.exe
Size

410KB
MD5

0c2c9f346c5c3d6ece9f0bd3241a356f
SHA1

4df27264caaea246eab651d618ad8e554cf1ad6e
SHA256

4a08fa0e9d46964ee88efa05ac7aec0a2889b8b7094fbb3834102423b1915593
SHA512

6fc7a2ae524184178a93fa729192b194ff387447f341153ea1ed840075b6c58ec1b3792fc0d9ba1e9426a4029c9a0ea920ed0673e2908c9d5bb803cedbd65263

Score

10^/10

revengerat @-novos hoteis-@stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

@-NOVOS HOTEIS-@

cdtoriginal.ddns.net:1166

office365update.duckdns.org:1166

Mutex

SoftwareRemovalToolwINDOWS

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1632-55-0x0000000000360000-0x000000000036A000-memory.dmp	revengerat

Drops startup file 1 IoCs

Processes:

microsoft.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoftwareLicensingProductWindows.lnk	microsoft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

microsoft.exe

description pid process

Token: SeDebugPrivilege 1632 microsoft.exe

description	pid	process
Token: SeDebugPrivilege	1632	microsoft.exe

C:\Users\Admin\AppData\Local\Temp\microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\microsoft.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-54-0x00000000003E0000-0x000000000044C000-memory.dmp

Filesize
432KB

Download
memory/1632-55-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download