revengerat | 19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a

General

Target

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
Size

161KB
MD5

6dbf9d23086ddc60c06d51b5cef27c27
SHA1

d2763cebcf65023707fea835015ae230b5bd48cb
SHA256

19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a
SHA512

e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830
SSDEEP

3072:nf/snZ0dRsNedt26sjXkXUpEzFLlYmS2QMN+3j61oXd+RubnMaqPi3:XyZGRsNed1sYXUWxL2mS2n+Tvt+Ebnai

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3048-141-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat
behavioral2/memory/3048-143-0x0000000000400000-0x000000000042C000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

Microsoft .Net Framework Servcies.exe

pid process

2620 Microsoft .Net Framework Servcies.exe

pid	process
2620	Microsoft .Net Framework Servcies.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

description	pid	process	target process
PID 1944 set thread context of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

pid	process
1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

description	pid	process
Token: SeDebugPrivilege	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
Token: SeDebugPrivilege	3048	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe

C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"
2⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"
2⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
"C:\Users\Admin\AppData\Local\Temp\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
"C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"
3⤵
- Executes dropped EXE
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe.log
Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
Filesize
161KB

MD5
6dbf9d23086ddc60c06d51b5cef27c27

SHA1
d2763cebcf65023707fea835015ae230b5bd48cb

SHA256
19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a

SHA512
e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
Filesize
161KB

MD5
6dbf9d23086ddc60c06d51b5cef27c27

SHA1
d2763cebcf65023707fea835015ae230b5bd48cb

SHA256
19a7fcd451dea34b219222ddce8072f3a83a57eeb18dc1598b2a6f0c5bf6546a

SHA512
e78812ed50a8f4dc636bc50e3f7ab4ea2979293c824299da83ddd5015f90b8064720c8c6009dfd15fe83b15eace496103e41e0f0265bc8dbd79d656a1650a830

Download Submit
memory/1944-133-0x00000000050C0000-0x0000000005664000-memory.dmp

Filesize
5.6MB

Download
memory/1944-134-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/1944-135-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/1944-136-0x00000000056F0000-0x0000000005766000-memory.dmp

Filesize
472KB

Download
memory/1944-137-0x0000000005090000-0x00000000050AE000-memory.dmp

Filesize
120KB

Download
memory/1944-132-0x0000000000210000-0x000000000023E000-memory.dmp

Filesize
184KB

Download
memory/2620-146-0x0000000000000000-mapping.dmp

Download
memory/3048-140-0x0000000000000000-mapping.dmp

Download
memory/3048-144-0x00000000056B0000-0x000000000574C000-memory.dmp

Filesize
624KB

Download
memory/3048-145-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/3048-143-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3048-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4056-139-0x0000000000000000-mapping.dmp

Download
memory/4492-138-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1944 wrote to memory of 4492	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 4492	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 4492	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 4056	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 4056	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 4056	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 1944 wrote to memory of 3048	1944	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe
PID 3048 wrote to memory of 2620	3048	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	Microsoft .Net Framework Servcies.exe
PID 3048 wrote to memory of 2620	3048	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	Microsoft .Net Framework Servcies.exe
PID 3048 wrote to memory of 2620	3048	19A7FCD451DEA34B219222DDCE8072F3A83A57EEB18DC.exe	Microsoft .Net Framework Servcies.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads