revengerat | 0feeb8481e07c0d5c1973f7a1644b788d56c9616c82ae0ce73505893664804a1

General

Target

Setup.exe
Size

458KB
MD5

bfa40de5db5a15e0317dd72d982083dc
SHA1

fb93616799e85771a028944148bad57b15d0289b
SHA256

0feeb8481e07c0d5c1973f7a1644b788d56c9616c82ae0ce73505893664804a1
SHA512

cb39b9299485795ea810cb8f36b65bb3b816c37b7edd580bacccfaa8f9c222e0ebe08418ebef28512a2e87fc0ed758d5c6b3c445dfa5900e64d911fded2043c0
SSDEEP

6144:uK7EhfK4NKt9R8czLM0KGAFmLYYZMi/DQ/n0WvVhSOKi1UT:x7ElnUtkwLeNkZX/KvVcL

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2876-95-0x0000000000160000-0x000000000016C000-memory.dmp	revengerat

Executes dropped EXE 2 IoCs

Processes:

svchost.exeexplorer.exe

pid process

2352 svchost.exe
2876 explorer.exe

pid	process
2352	svchost.exe
2876	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Setup.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe"	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

explorer.exe

description pid process

Token: SeDebugPrivilege 2876 explorer.exe

description	pid	process
Token: SeDebugPrivilege	2876	explorer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Setup.exesvchost.exe

description	pid	process	target process
PID 2224 wrote to memory of 2352	2224	Setup.exe	svchost.exe
PID 2224 wrote to memory of 2352	2224	Setup.exe	svchost.exe
PID 2224 wrote to memory of 2352	2224	Setup.exe	svchost.exe
PID 2352 wrote to memory of 2876	2352	svchost.exe	explorer.exe
PID 2352 wrote to memory of 2876	2352	svchost.exe	explorer.exe
PID 2352 wrote to memory of 2876	2352	svchost.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2352

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
133KB

MD5
247976d7e405bfd0f716a3d5f2cd499b

SHA1
dbcf03a94b3cced51ebe42af6f860e8d898f2459

SHA256
c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6

SHA512
664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
133KB

MD5
247976d7e405bfd0f716a3d5f2cd499b

SHA1
dbcf03a94b3cced51ebe42af6f860e8d898f2459

SHA256
c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6

SHA512
664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
Filesize
133KB

MD5
247976d7e405bfd0f716a3d5f2cd499b

SHA1
dbcf03a94b3cced51ebe42af6f860e8d898f2459

SHA256
c37430f6f2249e0faff20595f0677955cd2c1f727f94bff53f21ecc894e340f6

SHA512
664b189c6b99b8927bb6fdb52c2c3f0031e88edc1dac80c8f6da5682ac30f17f295bed739df56e4bb754dca773c9eeb4e4b56fc3c36ccda0ab182ad54dd7edad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
memory/2224-71-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2224-54-0x0000000000B90000-0x0000000000C08000-memory.dmp

Filesize
480KB

Download
memory/2224-55-0x0000000000260000-0x000000000028C000-memory.dmp

Filesize
176KB

Download
memory/2224-56-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2224-57-0x0000000000590000-0x0000000000610000-memory.dmp

Filesize
512KB

Download
memory/2224-58-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-83-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/2352-90-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-82-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-72-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2352-74-0x0000000000B00000-0x0000000000B80000-memory.dmp

Filesize
512KB

Download
memory/2352-73-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2352-70-0x0000000000D20000-0x0000000000D7A000-memory.dmp

Filesize
360KB

Download
memory/2352-75-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/2876-91-0x00000000012B0000-0x00000000012D6000-memory.dmp

Filesize
152KB

Download
memory/2876-92-0x000007FEF27D0000-0x000007FEF31BC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-93-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2876-94-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/2876-95-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2876-98-0x000007FEF27D0000-0x000007FEF31BC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-99-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads