revengerat | 5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da

General

Target

5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe
Size

214KB
MD5

f9a2cbbaeae0112641305ca357e4df86
SHA1

d3a9989ad4e4f1beb1e328c0f961bcc8565c5814
SHA256

5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da
SHA512

d8607bf05656377a27d25ce34a1e35c238fed8e9cb89284214ac76cf0b56685ceceba5f0041660e709e9c0f8207356d6c120b05735b8f262d5ef660f26ef1e0b

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 4 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\adobe.exe	revengerat
C:\Users\Admin\AppData\Roaming\adobe.exe	revengerat
\Users\Admin\AppData\Roaming\adobe.exe	revengerat
C:\Users\Admin\AppData\Roaming\adobe.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

adobe.exe

pid process

1320 adobe.exe

pid	process
1320	adobe.exe

Drops startup file 2 IoCs

Processes:

adobe.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobeupdatas.exe	adobe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobeupdatas.exe	adobe.exe

Loads dropped DLL 2 IoCs

Processes:

5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe

pid	process
888	5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe
888	5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

adobe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\speedy = "C:\\Users\\Admin\\AppData\\Roaming\\adobe.exe"	adobe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exeadobe.exe

description	pid	process
Token: SeDebugPrivilege	888	5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe
Token: SeDebugPrivilege	1320	adobe.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe

description	pid	process	target process
PID 888 wrote to memory of 1320	888	5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe	adobe.exe
PID 888 wrote to memory of 1320	888	5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe	adobe.exe
PID 888 wrote to memory of 1320	888	5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe	adobe.exe
PID 888 wrote to memory of 1320	888	5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe	adobe.exe

C:\Users\Admin\AppData\Local\Temp\5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe
"C:\Users\Admin\AppData\Local\Temp\5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Roaming\adobe.exe
"C:\Users\Admin\AppData\Roaming\adobe.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\adobe.exe
Filesize
214KB

MD5
f9a2cbbaeae0112641305ca357e4df86

SHA1
d3a9989ad4e4f1beb1e328c0f961bcc8565c5814

SHA256
5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da

SHA512
d8607bf05656377a27d25ce34a1e35c238fed8e9cb89284214ac76cf0b56685ceceba5f0041660e709e9c0f8207356d6c120b05735b8f262d5ef660f26ef1e0b

Download Submit
C:\Users\Admin\AppData\Roaming\adobe.exe
Filesize
214KB

MD5
f9a2cbbaeae0112641305ca357e4df86

SHA1
d3a9989ad4e4f1beb1e328c0f961bcc8565c5814

SHA256
5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da

SHA512
d8607bf05656377a27d25ce34a1e35c238fed8e9cb89284214ac76cf0b56685ceceba5f0041660e709e9c0f8207356d6c120b05735b8f262d5ef660f26ef1e0b

Download Submit
\Users\Admin\AppData\Roaming\adobe.exe
Filesize
214KB

MD5
f9a2cbbaeae0112641305ca357e4df86

SHA1
d3a9989ad4e4f1beb1e328c0f961bcc8565c5814

SHA256
5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da

SHA512
d8607bf05656377a27d25ce34a1e35c238fed8e9cb89284214ac76cf0b56685ceceba5f0041660e709e9c0f8207356d6c120b05735b8f262d5ef660f26ef1e0b

Download Submit
\Users\Admin\AppData\Roaming\adobe.exe
Filesize
214KB

MD5
f9a2cbbaeae0112641305ca357e4df86

SHA1
d3a9989ad4e4f1beb1e328c0f961bcc8565c5814

SHA256
5a1540604aff786d6937c9d66808455cf0f66592c5766a6991dc5a435a00e6da

SHA512
d8607bf05656377a27d25ce34a1e35c238fed8e9cb89284214ac76cf0b56685ceceba5f0041660e709e9c0f8207356d6c120b05735b8f262d5ef660f26ef1e0b

Download Submit
memory/888-54-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/888-55-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/888-56-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/888-63-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-59-0x0000000000000000-mapping.dmp

Download
memory/1320-64-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download
memory/1320-65-0x00000000747F0000-0x0000000074D9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads