revengerat | 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

General

Target

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
Size

53KB
MD5

b585af67793f866a758b533870daee47
SHA1

e202f5897b60fabc23e4400cf4929be84f8607ae
SHA256

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0
SHA512

0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 5 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe	revengerat
\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe	revengerat
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe	revengerat
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe	revengerat
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1360 svchost.exe
1476 svchost.exe

pid	process
1360	svchost.exe
1476	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe

pid	process
1896	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
1896	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

652 schtasks.exe

pid	process
652	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1896	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
Token: SeDebugPrivilege	1360	svchost.exe
Token: SeDebugPrivilege	1476	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exesvchost.exetaskeng.exe

description	pid	process	target process
PID 1896 wrote to memory of 1360	1896	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe	svchost.exe
PID 1896 wrote to memory of 1360	1896	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe	svchost.exe
PID 1896 wrote to memory of 1360	1896	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe	svchost.exe
PID 1896 wrote to memory of 1360	1896	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe	svchost.exe
PID 1360 wrote to memory of 652	1360	svchost.exe	schtasks.exe
PID 1360 wrote to memory of 652	1360	svchost.exe	schtasks.exe
PID 1360 wrote to memory of 652	1360	svchost.exe	schtasks.exe
PID 1360 wrote to memory of 652	1360	svchost.exe	schtasks.exe
PID 920 wrote to memory of 1476	920	taskeng.exe	svchost.exe
PID 920 wrote to memory of 1476	920	taskeng.exe	svchost.exe
PID 920 wrote to memory of 1476	920	taskeng.exe	svchost.exe
PID 920 wrote to memory of 1476	920	taskeng.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
"C:\Users\Admin\AppData\Local\Temp\6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Network Menager" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:652

C:\Windows\system32\taskeng.exe
taskeng.exe {27724153-D0B3-47EC-A5BE-CDD8DB361040} S-1-5-21-3440072777-2118400376-1759599358-1000:NKWDSIWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
Filesize
53KB

MD5
b585af67793f866a758b533870daee47

SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae

SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
Filesize
53KB

MD5
b585af67793f866a758b533870daee47

SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae

SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
Filesize
53KB

MD5
b585af67793f866a758b533870daee47

SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae

SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
Filesize
53KB

MD5
b585af67793f866a758b533870daee47

SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae

SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
Filesize
53KB

MD5
b585af67793f866a758b533870daee47

SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae

SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Download Submit
memory/652-66-0x0000000000000000-mapping.dmp

Download
memory/1360-59-0x0000000000000000-mapping.dmp

Download
memory/1360-64-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-65-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-67-0x0000000000000000-mapping.dmp

Download
memory/1476-71-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-70-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-56-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-54-0x00000000762A1000-0x00000000762A3000-memory.dmp

Filesize
8KB

Download
memory/1896-55-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-63-0x0000000074F70000-0x000000007551B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads