revengerat | 19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a

General

Target

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
Size

161KB
MD5

6dbf9d23086ddc60c06d51b5cef27c27
SHA1

d2763cebcf65023707fea835015ae230b5bd48cb
SHA256

19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
SHA512

e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
SSDEEP

3072:nf/snZ0dRsNedt26sjXkXUpEzFLlYmS2QMN+3j61oXd+RubnMaqPi3:XyZGRsNed1sYXUWxL2mS2n+Tvt+Ebnai

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1076-60-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1076-61-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1076-62-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1076-63-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1076-64-0x0000000000424CEE-mapping.dmp	revengerat
behavioral1/memory/1076-66-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral1/memory/1132-81-0x0000000000424CEE-mapping.dmp	revengerat

Executes dropped EXE 2 IoCs

Processes:

Microsoft .Net Framework Servcies.exeMicrosoft .Net Framework Servcies.exe

pid process

1328 Microsoft .Net Framework Servcies.exe
1132 Microsoft .Net Framework Servcies.exe
Loads dropped DLL 1 IoCs

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

pid process

1076 19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

pid	process
1328	Microsoft .Net Framework Servcies.exe
1132	Microsoft .Net Framework Servcies.exe

pid	process
1076	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exeMicrosoft .Net Framework Servcies.exe

description	pid	process	target process
PID 2020 set thread context of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1328 set thread context of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exeMicrosoft .Net Framework Servcies.exe

description	pid	process
Token: SeDebugPrivilege	1076	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
Token: SeDebugPrivilege	1132	Microsoft .Net Framework Servcies.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exeMicrosoft .Net Framework Servcies.exe

C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
"C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
"C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
Filesize
161KB

MD5
6dbf9d23086ddc60c06d51b5cef27c27

SHA1
d2763cebcf65023707fea835015ae230b5bd48cb

SHA256
19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a

SHA512
e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
Filesize
161KB

MD5
6dbf9d23086ddc60c06d51b5cef27c27

SHA1
d2763cebcf65023707fea835015ae230b5bd48cb

SHA256
19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a

SHA512
e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
Filesize
161KB

MD5
6dbf9d23086ddc60c06d51b5cef27c27

SHA1
d2763cebcf65023707fea835015ae230b5bd48cb

SHA256
19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a

SHA512
e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830

Download Submit
\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
Filesize
161KB

MD5
6dbf9d23086ddc60c06d51b5cef27c27

SHA1
d2763cebcf65023707fea835015ae230b5bd48cb

SHA256
19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a

SHA512
e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830

Download Submit
memory/1076-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1076-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1076-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1076-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1076-64-0x0000000000424CEE-mapping.dmp

Download
memory/1076-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1076-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1076-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1132-81-0x0000000000424CEE-mapping.dmp

Download
memory/1328-72-0x0000000000E50000-0x0000000000E7E000-memory.dmp

Filesize
184KB

Download
memory/1328-69-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x0000000000D60000-0x0000000000D8E000-memory.dmp

Filesize
184KB

Download
memory/2020-56-0x00000000007F0000-0x000000000081E000-memory.dmp

Filesize
184KB

Download
memory/2020-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download

description	pid	process	target process
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 2020 wrote to memory of 1076	2020	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1076 wrote to memory of 1328	1076	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	Microsoft .Net Framework Servcies.exe
PID 1076 wrote to memory of 1328	1076	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	Microsoft .Net Framework Servcies.exe
PID 1076 wrote to memory of 1328	1076	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	Microsoft .Net Framework Servcies.exe
PID 1076 wrote to memory of 1328	1076	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe
PID 1328 wrote to memory of 1132	1328	Microsoft .Net Framework Servcies.exe	Microsoft .Net Framework Servcies.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads