revengerat | 6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

General

Target

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
Size

53KB
MD5

b585af67793f866a758b533870daee47
SHA1

e202f5897b60fabc23e4400cf4929be84f8607ae
SHA256

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0
SHA512

0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 3 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe	revengerat
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe	revengerat
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe	revengerat

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1876 svchost.exe
1764 svchost.exe

pid	process
1876	svchost.exe
1764	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\History\\svchost.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3600 schtasks.exe

pid	process
3600	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1304	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
Token: SeDebugPrivilege	1876	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exesvchost.exe

description	pid	process	target process
PID 1304 wrote to memory of 1876	1304	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe	svchost.exe
PID 1304 wrote to memory of 1876	1304	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe	svchost.exe
PID 1304 wrote to memory of 1876	1304	6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe	svchost.exe
PID 1876 wrote to memory of 3600	1876	svchost.exe	schtasks.exe
PID 1876 wrote to memory of 3600	1876	svchost.exe	schtasks.exe
PID 1876 wrote to memory of 3600	1876	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe
"C:\Users\Admin\AppData\Local\Temp\6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Network Menager" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:3600

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
Filesize
53KB

MD5
b585af67793f866a758b533870daee47

SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae

SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
Filesize
53KB

MD5
b585af67793f866a758b533870daee47

SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae

SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\svchost.exe
Filesize
53KB

MD5
b585af67793f866a758b533870daee47

SHA1
e202f5897b60fabc23e4400cf4929be84f8607ae

SHA256
6fe5d15dd9a0aeef6b153b2428b8f6d3b518cf3f71dc66163515778dd3c038c0

SHA512
0b3b47e9dcce53b8d88ee470b0a2e4f0b3256a6148e833d96702a4940dddea7561e351b5536a50f908efe4c4550e0657505b6469fbfd0c755a8be277a873d7a1

Download Submit
memory/1304-130-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1304-131-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1304-135-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1764-140-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1764-141-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1876-132-0x0000000000000000-mapping.dmp

Download
memory/1876-136-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1876-137-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/3600-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads