revengerat | fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4

Resubmissions

03-06-2023 11:19

230603-ne3dhsge65 10

03-06-2023 11:03

230603-m5sfkage45 10

Analysis

max time kernel
86s
max time network
99s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-06-2023 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56436.exe
Size

17KB
MD5

c809335d893e45403a4b3a2f057912d4
SHA1

e98ccab279d633a8ab0e66ad7812fb4d5a656dba
SHA256

fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4
SHA512

5f67a1088350510ba24a2688a6d486d7a61e983dc84475918e54da08ecd1cc7eddbccd6b51bc94593d756703e3e8b1edbcefe1312a2bc06416502a0fed657d14
SSDEEP

384:9GDRfRdKatRiWfu+/oEIPJvnbisVKi6yrLu2s2:9GF5dKat32+IRmua2

Score

10^/10

revengerat guest stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

structure-processor.at.ply.gg:45659

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 7 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1152-54-0x00000000008C0000-0x00000000008C8000-memory.dmp	revengerat
behavioral1/memory/1152-55-0x0000000001F20000-0x0000000001FA0000-memory.dmp	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
C:\Users\Admin\AppData\Roaming\Client.exe	revengerat
behavioral1/memory/1796-64-0x0000000000FC0000-0x0000000000FC8000-memory.dmp	revengerat
behavioral1/memory/1796-65-0x0000000000B30000-0x0000000000BB0000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1796 Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

56436.exeClient.exe

description pid process

Token: SeDebugPrivilege 1152 56436.exe
Token: SeDebugPrivilege 1796 Client.exe

pid	process
1796	Client.exe

description	pid	process
Token: SeDebugPrivilege	1152	56436.exe
Token: SeDebugPrivilege	1796	Client.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

56436.exe

description	pid	process	target process
PID 1152 wrote to memory of 1796	1152	56436.exe	Client.exe
PID 1152 wrote to memory of 1796	1152	56436.exe	Client.exe
PID 1152 wrote to memory of 1796	1152	56436.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\56436.exe
"C:\Users\Admin\AppData\Local\Temp\56436.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Roaming\Client.exe
"C:\Users\Admin\AppData\Roaming\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
17KB

MD5
c809335d893e45403a4b3a2f057912d4

SHA1
e98ccab279d633a8ab0e66ad7812fb4d5a656dba

SHA256
fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4

SHA512
5f67a1088350510ba24a2688a6d486d7a61e983dc84475918e54da08ecd1cc7eddbccd6b51bc94593d756703e3e8b1edbcefe1312a2bc06416502a0fed657d14

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
17KB

MD5
c809335d893e45403a4b3a2f057912d4

SHA1
e98ccab279d633a8ab0e66ad7812fb4d5a656dba

SHA256
fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4

SHA512
5f67a1088350510ba24a2688a6d486d7a61e983dc84475918e54da08ecd1cc7eddbccd6b51bc94593d756703e3e8b1edbcefe1312a2bc06416502a0fed657d14

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe
Filesize
17KB

MD5
c809335d893e45403a4b3a2f057912d4

SHA1
e98ccab279d633a8ab0e66ad7812fb4d5a656dba

SHA256
fff181b9a2ba6244e9509682573d004071f06825637a0c46bf50f3dad73b1fa4

SHA512
5f67a1088350510ba24a2688a6d486d7a61e983dc84475918e54da08ecd1cc7eddbccd6b51bc94593d756703e3e8b1edbcefe1312a2bc06416502a0fed657d14

Download Submit
memory/1152-54-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/1152-55-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download
memory/1152-56-0x0000000001F20000-0x0000000001FA0000-memory.dmp

Filesize
512KB

Download
memory/1796-64-0x0000000000FC0000-0x0000000000FC8000-memory.dmp

Filesize
32KB

Download
memory/1796-65-0x0000000000B30000-0x0000000000BB0000-memory.dmp

Filesize
512KB

Download