revengerat | 4acc7393b942c7c331ef0d08dc20000177adbe93f7a5202af14735b148c432f7

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-02-2023 15:46

Target

stealer30.exe
Size

373KB
MD5

70d717a07a6df0db8fa222a5719c1ccd
SHA1

71dd5d3f838e2f869cca3aaf186c60aeb05bd682
SHA256

4acc7393b942c7c331ef0d08dc20000177adbe93f7a5202af14735b148c432f7
SHA512

cd83260c5b5891815907fb8b18383d8428c7d77a5c8af0556aaa8036e7dc2026c1e268506df86385dc8a2cb7d776b700b638adbf79b4d393a331b6d6e85cb250
SSDEEP

6144:wsNJZA19r/SpqYYn/70nFIyUveIh6i2AgVv0Io9J:b/i9T07YD0XF+n

Score

10^/10

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1056-63-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/1056-62-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/1056-61-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat
behavioral1/memory/1056-64-0x000000000040E8FE-mapping.dmp	revengerat
behavioral1/memory/1056-66-0x0000000000400000-0x0000000000414000-memory.dmp	revengerat

Suspicious use of SetThreadContext 1 IoCs

Processes:

stealer30.exe

description pid process target process

PID 1120 set thread context of 1056 1120 stealer30.exe stealer30.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

stealer30.exestealer30.exe

description pid process

Token: SeDebugPrivilege 1120 stealer30.exe
Token: SeDebugPrivilege 1056 stealer30.exe

description	pid	process	target process
PID 1120 set thread context of 1056	1120	stealer30.exe	stealer30.exe

description	pid	process
Token: SeDebugPrivilege	1120	stealer30.exe
Token: SeDebugPrivilege	1056	stealer30.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

stealer30.exe

description	pid	process	target process
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe
PID 1120 wrote to memory of 1056	1120	stealer30.exe	stealer30.exe

C:\Users\Admin\AppData\Local\Temp\stealer30.exe
"C:\Users\Admin\AppData\Local\Temp\stealer30.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

memory/1056-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1056-63-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1056-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1056-61-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1056-59-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1056-64-0x000000000040E8FE-mapping.dmp

Download
memory/1056-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1120-54-0x0000000000CA0000-0x0000000000D02000-memory.dmp

Filesize
392KB

Download
memory/1120-55-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/1120-56-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1120-57-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download