revengerat | fb7392139a115fcf8e9f741d3187d5bdb682be4f7babc52e9fcd6bd6fc897c31

Analysis

max time kernel
267s
max time network
341s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe
Size

21.6MB
MD5

6631fd90c648d10b65e4778010c7c2fb
SHA1

53d833a9b6238247ae63deb0bbaeb1264c3dbffc
SHA256

fb7392139a115fcf8e9f741d3187d5bdb682be4f7babc52e9fcd6bd6fc897c31
SHA512

f3765881e58ebbe6876c31600f6da115b9bfa2be1a5053a88e60e3a8e52cf38e2d629841a60e1e6ea7751aaef3f9e81ab38e8de3ff6ab473e748475cc3ab859e
SSDEEP

393216:tq5jjbBR1Ha+LAkVcPjvdgcKCqNSLIWURm/UHFo6FkhC:qBR1HDNOPJgcKCHhsHFDz

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 5 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Client.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Client.exe	revengerat
C:\Users\Admin\AppData\Local\Temp\Client.exe	revengerat
\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe	revengerat
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe	revengerat

Executes dropped EXE 7 IoCs

Processes:

Client.exefix.exeSetup.exeSetup.exefix .exesvchost.exeMicrosoft .Net Framework Servcies.exe

pid process

676 Client.exe
924 fix.exe
1648 Setup.exe
544 Setup.exe
340 fix .exe
1360 svchost.exe
668 Microsoft .Net Framework Servcies.exe

pid	process
676	Client.exe
924	fix.exe
1648	Setup.exe
544	Setup.exe
340	fix .exe
1360	svchost.exe
668	Microsoft .Net Framework Servcies.exe

Loads dropped DLL 5 IoCs

Processes:

FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exefix.exeClient.exe

pid	process
1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe
1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe
924	fix.exe
924	fix.exe
676	Client.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Setup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client.exe

description pid process

Token: SeDebugPrivilege 676 Client.exe

description	pid	process
Token: SeDebugPrivilege	676	Client.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exefix.exeSetup.exeClient.exe

description	pid	process	target process
PID 1712 wrote to memory of 676	1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe	Client.exe
PID 1712 wrote to memory of 676	1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe	Client.exe
PID 1712 wrote to memory of 676	1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe	Client.exe
PID 1712 wrote to memory of 676	1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe	Client.exe
PID 1712 wrote to memory of 924	1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe	fix.exe
PID 1712 wrote to memory of 924	1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe	fix.exe
PID 1712 wrote to memory of 924	1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe	fix.exe
PID 1712 wrote to memory of 924	1712	FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe	fix.exe
PID 924 wrote to memory of 1648	924	fix.exe	Setup.exe
PID 924 wrote to memory of 1648	924	fix.exe	Setup.exe
PID 924 wrote to memory of 1648	924	fix.exe	Setup.exe
PID 924 wrote to memory of 544	924	fix.exe	Setup.exe
PID 924 wrote to memory of 544	924	fix.exe	Setup.exe
PID 924 wrote to memory of 544	924	fix.exe	Setup.exe
PID 924 wrote to memory of 340	924	fix.exe	fix .exe
PID 924 wrote to memory of 340	924	fix.exe	fix .exe
PID 924 wrote to memory of 340	924	fix.exe	fix .exe
PID 1648 wrote to memory of 1360	1648	Setup.exe	svchost.exe
PID 1648 wrote to memory of 1360	1648	Setup.exe	svchost.exe
PID 1648 wrote to memory of 1360	1648	Setup.exe	svchost.exe
PID 676 wrote to memory of 668	676	Client.exe	Microsoft .Net Framework Servcies.exe
PID 676 wrote to memory of 668	676	Client.exe	Microsoft .Net Framework Servcies.exe
PID 676 wrote to memory of 668	676	Client.exe	Microsoft .Net Framework Servcies.exe
PID 676 wrote to memory of 668	676	Client.exe	Microsoft .Net Framework Servcies.exe

C:\Users\Admin\AppData\Local\Temp\FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe
"C:\Users\Admin\AppData\Local\Temp\FB7392139A115FCF8E9F741D3187D5BDB682BE4F7BABC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
"C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe"
3⤵
- Executes dropped EXE
PID:668

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
4⤵
- Executes dropped EXE
PID:1360

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
3⤵
- Executes dropped EXE
PID:544

C:\Users\Admin\AppData\Local\Temp\fix .exe
"C:\Users\Admin\AppData\Local\Temp\fix .exe"
3⤵
- Executes dropped EXE
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
144KB

MD5
3c99042b54fb74e45b1c2f9bec86321b

SHA1
9c91ae20f4214122819659cd3f0ea46d4ea8699c

SHA256
4fc5d7b78bb2a049986044f87441ade0f0d09485cc508489bf1d484b2c7da695

SHA512
96b490b45fe228c0f0f18192a58f29bcef69afc0fd940544db1c0e849cffecf6091a1cfb1c8412a751deb5b3a67564d56afe3f72d4eee2678363ce84b2e58457

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
144KB

MD5
3c99042b54fb74e45b1c2f9bec86321b

SHA1
9c91ae20f4214122819659cd3f0ea46d4ea8699c

SHA256
4fc5d7b78bb2a049986044f87441ade0f0d09485cc508489bf1d484b2c7da695

SHA512
96b490b45fe228c0f0f18192a58f29bcef69afc0fd940544db1c0e849cffecf6091a1cfb1c8412a751deb5b3a67564d56afe3f72d4eee2678363ce84b2e58457

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
356KB

MD5
fa0b327abd82686bb9d676a30fa89b46

SHA1
a5521f5e8e500f67b183542ffad65b83ebcb186f

SHA256
d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

SHA512
ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
356KB

MD5
fa0b327abd82686bb9d676a30fa89b46

SHA1
a5521f5e8e500f67b183542ffad65b83ebcb186f

SHA256
d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

SHA512
ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
356KB

MD5
fa0b327abd82686bb9d676a30fa89b46

SHA1
a5521f5e8e500f67b183542ffad65b83ebcb186f

SHA256
d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

SHA512
ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fix .exe
Filesize
26.9MB

MD5
20f0d5f26ccc128b8dc82a9cfb248df4

SHA1
1fbcdd3ac02351998393b61f2ce8e63fc1e7e59e

SHA256
3640ce892fd1b03f75074d471cabffd9fe49dd26445db4c5b1f976de91c6a0c0

SHA512
ddbaf0d4a0074c6636cef41944c9a034dd0fd6a5aa89efbfa7395d9146dd94646f28e81596e5135ebbed6bbcc0fccc6a09575837809017d252de7c241c9e0035

Download Submit
C:\Users\Admin\AppData\Local\Temp\fix.exe
Filesize
27.2MB

MD5
5ef560b9b48b65bb06fcc33f3396b60e

SHA1
6a41c446b22a59571423f24626b1165a9cf07154

SHA256
cd228faec86ed22a4c06d9ab3d7db74a8a440190b2ec001c81a42d99ded15644

SHA512
6cc6375b1abc7404854c9d5fefd942c37a9a9fefb659d8100a82b6e0fceca08f2d2aea3bfb3fc4f355fc02e7dd84989f556b4a945ffee9ca451f0d8d0e2c4ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fix.exe
Filesize
27.2MB

MD5
5ef560b9b48b65bb06fcc33f3396b60e

SHA1
6a41c446b22a59571423f24626b1165a9cf07154

SHA256
cd228faec86ed22a4c06d9ab3d7db74a8a440190b2ec001c81a42d99ded15644

SHA512
6cc6375b1abc7404854c9d5fefd942c37a9a9fefb659d8100a82b6e0fceca08f2d2aea3bfb3fc4f355fc02e7dd84989f556b4a945ffee9ca451f0d8d0e2c4ccc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
Filesize
144KB

MD5
3c99042b54fb74e45b1c2f9bec86321b

SHA1
9c91ae20f4214122819659cd3f0ea46d4ea8699c

SHA256
4fc5d7b78bb2a049986044f87441ade0f0d09485cc508489bf1d484b2c7da695

SHA512
96b490b45fe228c0f0f18192a58f29bcef69afc0fd940544db1c0e849cffecf6091a1cfb1c8412a751deb5b3a67564d56afe3f72d4eee2678363ce84b2e58457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
256KB

MD5
c4e4407b5fcf49586ddd5d5573ae4b95

SHA1
0f60aaaaac09d4f9273207114fcc78c0bfb250eb

SHA256
8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

SHA512
95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
256KB

MD5
c4e4407b5fcf49586ddd5d5573ae4b95

SHA1
0f60aaaaac09d4f9273207114fcc78c0bfb250eb

SHA256
8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

SHA512
95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fix .exe
Filesize
26.9MB

MD5
20f0d5f26ccc128b8dc82a9cfb248df4

SHA1
1fbcdd3ac02351998393b61f2ce8e63fc1e7e59e

SHA256
3640ce892fd1b03f75074d471cabffd9fe49dd26445db4c5b1f976de91c6a0c0

SHA512
ddbaf0d4a0074c6636cef41944c9a034dd0fd6a5aa89efbfa7395d9146dd94646f28e81596e5135ebbed6bbcc0fccc6a09575837809017d252de7c241c9e0035

Download Submit
\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
144KB

MD5
3c99042b54fb74e45b1c2f9bec86321b

SHA1
9c91ae20f4214122819659cd3f0ea46d4ea8699c

SHA256
4fc5d7b78bb2a049986044f87441ade0f0d09485cc508489bf1d484b2c7da695

SHA512
96b490b45fe228c0f0f18192a58f29bcef69afc0fd940544db1c0e849cffecf6091a1cfb1c8412a751deb5b3a67564d56afe3f72d4eee2678363ce84b2e58457

Download Submit
\Users\Admin\AppData\Local\Temp\fix .exe
Filesize
26.9MB

MD5
20f0d5f26ccc128b8dc82a9cfb248df4

SHA1
1fbcdd3ac02351998393b61f2ce8e63fc1e7e59e

SHA256
3640ce892fd1b03f75074d471cabffd9fe49dd26445db4c5b1f976de91c6a0c0

SHA512
ddbaf0d4a0074c6636cef41944c9a034dd0fd6a5aa89efbfa7395d9146dd94646f28e81596e5135ebbed6bbcc0fccc6a09575837809017d252de7c241c9e0035

Download Submit
\Users\Admin\AppData\Local\Temp\fix .exe
Filesize
26.9MB

MD5
20f0d5f26ccc128b8dc82a9cfb248df4

SHA1
1fbcdd3ac02351998393b61f2ce8e63fc1e7e59e

SHA256
3640ce892fd1b03f75074d471cabffd9fe49dd26445db4c5b1f976de91c6a0c0

SHA512
ddbaf0d4a0074c6636cef41944c9a034dd0fd6a5aa89efbfa7395d9146dd94646f28e81596e5135ebbed6bbcc0fccc6a09575837809017d252de7c241c9e0035

Download Submit
\Users\Admin\AppData\Local\Temp\fix.exe
Filesize
27.2MB

MD5
5ef560b9b48b65bb06fcc33f3396b60e

SHA1
6a41c446b22a59571423f24626b1165a9cf07154

SHA256
cd228faec86ed22a4c06d9ab3d7db74a8a440190b2ec001c81a42d99ded15644

SHA512
6cc6375b1abc7404854c9d5fefd942c37a9a9fefb659d8100a82b6e0fceca08f2d2aea3bfb3fc4f355fc02e7dd84989f556b4a945ffee9ca451f0d8d0e2c4ccc

Download Submit
\Users\Admin\AppData\Roaming\Microsoft .Net Framework Servcies.exe
Filesize
144KB

MD5
3c99042b54fb74e45b1c2f9bec86321b

SHA1
9c91ae20f4214122819659cd3f0ea46d4ea8699c

SHA256
4fc5d7b78bb2a049986044f87441ade0f0d09485cc508489bf1d484b2c7da695

SHA512
96b490b45fe228c0f0f18192a58f29bcef69afc0fd940544db1c0e849cffecf6091a1cfb1c8412a751deb5b3a67564d56afe3f72d4eee2678363ce84b2e58457

Download Submit
memory/340-85-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/340-87-0x0000000002B00000-0x0000000002B10000-memory.dmp

Filesize
64KB

Download
memory/340-81-0x0000000000000000-mapping.dmp

Download
memory/340-92-0x0000000000400000-0x000000000076A000-memory.dmp

Filesize
3.4MB

Download
memory/340-93-0x0000000000400000-0x0000000000808000-memory.dmp

Filesize
4.0MB

Download
memory/544-78-0x000007FEEE010000-0x000007FEEF0A6000-memory.dmp

Filesize
16.6MB

Download
memory/544-74-0x0000000000000000-mapping.dmp

Download
memory/544-77-0x000007FEF31B0000-0x000007FEF3BD3000-memory.dmp

Filesize
10.1MB

Download
memory/668-95-0x0000000000000000-mapping.dmp

Download
memory/676-61-0x0000000072F00000-0x00000000734AB000-memory.dmp

Filesize
5.7MB

Download
memory/676-67-0x0000000072F00000-0x00000000734AB000-memory.dmp

Filesize
5.7MB

Download
memory/676-57-0x0000000000000000-mapping.dmp

Download
memory/924-63-0x0000000000000000-mapping.dmp

Download
memory/924-69-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/924-68-0x000007FEEE010000-0x000007FEEF0A6000-memory.dmp

Filesize
16.6MB

Download
memory/924-66-0x000007FEF31B0000-0x000007FEF3BD3000-memory.dmp

Filesize
10.1MB

Download
memory/1360-91-0x000007FEEE010000-0x000007FEEF0A6000-memory.dmp

Filesize
16.6MB

Download
memory/1360-86-0x0000000000000000-mapping.dmp

Download
memory/1360-90-0x000007FEF31B0000-0x000007FEF3BD3000-memory.dmp

Filesize
10.1MB

Download
memory/1648-70-0x0000000000000000-mapping.dmp

Download
memory/1648-73-0x000007FEF31B0000-0x000007FEF3BD3000-memory.dmp

Filesize
10.1MB

Download
memory/1648-75-0x000007FEEE010000-0x000007FEEF0A6000-memory.dmp

Filesize
16.6MB

Download
memory/1712-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1712-54-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download