revengerat | 18804904d6fd09134cf8cd5a275af545c91cac966b40eca59aab052ceae5fb10 | Triage

Submit
Reports

Overview

overview

Static

static

1

expressvpn...se.exe

windows7-x64

4

expressvpn...se.exe

windows10-2004-x64

Sharing

General

Target

expressvpn_windows_12.48.0.49_release.exe
Size

62.9MB
Sample

230504-fwz1qaaa57
MD5

3da6d5f929181cd21fec8185cdb0f4ec
SHA1

f7d23460dbbeb2006da63a8c4076ca24f6137b43
SHA256

18804904d6fd09134cf8cd5a275af545c91cac966b40eca59aab052ceae5fb10
SHA512

a8d0eae9dc9290dcb1d774aa8b7c6e98a411f9b87bb4dd7289cf5e77370532a5349c83cf6e9de11e5584379f669627d0b010f0c32bfc90b9d00ecaeedb0c1d57
SSDEEP

1572864:AJ9elNwYoLFrDW1VbxAy9EhbuyvOUip66RBmxKoIVFNkB+/YBCbm:Ayl+YmuPGy9E9DiU6RBUKoIVFN++/iCi

Score

10^/10

revengerat discovery persistence stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

expressvpn_windows_12.48.0.49_release.exe

Resource

win7-20230220-es

windows7-x64

3 signatures

300 seconds

Behavioral task

behavioral2

Sample

expressvpn_windows_12.48.0.49_release.exe

Resource

win10v2004-20230220-es

revengerat discovery persistence stealer trojan

windows10-2004-x64

23 signatures

300 seconds

Malware Config

Targets

- Target
  
  expressvpn_windows_12.48.0.49_release.exe
- Size
  
  62.9MB
- MD5
  
  3da6d5f929181cd21fec8185cdb0f4ec
- SHA1
  
  f7d23460dbbeb2006da63a8c4076ca24f6137b43
- SHA256
  
  18804904d6fd09134cf8cd5a275af545c91cac966b40eca59aab052ceae5fb10
- SHA512
  
  a8d0eae9dc9290dcb1d774aa8b7c6e98a411f9b87bb4dd7289cf5e77370532a5349c83cf6e9de11e5584379f669627d0b010f0c32bfc90b9d00ecaeedb0c1d57
- SSDEEP
  
  1572864:AJ9elNwYoLFrDW1VbxAy9EhbuyvOUip66RBmxKoIVFNkB+/YBCbm:Ayl+YmuPGy9E9DiU6RBUKoIVFN++/iCi
Score

10^/10

revengerat discovery persistence stealer trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- RevengeRat Executable
  stealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

revengeratdiscoverypersistencestealertrojan

© 2018-2024

Terms | Privacy