revengerat | bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

explorer.exe
Size

133KB
MD5

6d78acbcbb8d77547e8956bdd6b19e0e
SHA1

ff5baeccc5b4fe4ebbbe6b156ff20ba1e794627c
SHA256

bff2704e9379a61eae54b65d1f815dacf0ceae99f140a1eafcc94b020abbf9a3
SHA512

0903e02f7d0b964d66bfecde0763a7d604b256c84d7fed04e675366953a6f81b5b8fd9ac47538baf6e5df90a2f3f178d7ff1cfab41c22cc896b42f3bbf607118
SSDEEP

3072:l5CdDQ+OvxqeJ333N7PabPucUSakfu3cbbH0hLNi:XYOoevCbPXUrkfu3kUT

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/1648-10-0x00000000022D0000-0x00000000022DC000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	version.exe

Executes dropped EXE 1 IoCs

pid	Process
2820	version.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe"	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1568	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe
1648	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	explorer.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1648	explorer.exe
1648	explorer.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 4584	1648	explorer.exe	83
PID 1648 wrote to memory of 4584	1648	explorer.exe	83
PID 2820 wrote to memory of 3532	2820	version.exe	87
PID 2820 wrote to memory of 3532	2820	version.exe	87
PID 2820 wrote to memory of 4324	2820	version.exe	92
PID 2820 wrote to memory of 4324	2820	version.exe	92
PID 2820 wrote to memory of 3968	2820	version.exe	88
PID 2820 wrote to memory of 3968	2820	version.exe	88
PID 2820 wrote to memory of 4580	2820	version.exe	91
PID 2820 wrote to memory of 4580	2820	version.exe	91
PID 2820 wrote to memory of 384	2820	version.exe	93
PID 2820 wrote to memory of 384	2820	version.exe	93
PID 4580 wrote to memory of 3500	4580	cmd.exe	97
PID 4580 wrote to memory of 3500	4580	cmd.exe	97
PID 3532 wrote to memory of 2332	3532	cmd.exe	99
PID 3532 wrote to memory of 2332	3532	cmd.exe	99
PID 3968 wrote to memory of 3100	3968	cmd.exe	101
PID 3968 wrote to memory of 3100	3968	cmd.exe	101
PID 384 wrote to memory of 2020	384	cmd.exe	100
PID 384 wrote to memory of 2020	384	cmd.exe	100
PID 4324 wrote to memory of 3636	4324	cmd.exe	102
PID 4324 wrote to memory of 3636	4324	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- \??\c:\windows\system32\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\z2aru1ck.inf
  2⤵
  PID:4584

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2020

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
358897459512b9d5c2be170ec908d608

SHA1
e148b7f56ef6acfb1559371f67c68ce9b8ab6078

SHA256
1905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e

SHA512
6edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
358897459512b9d5c2be170ec908d608

SHA1
e148b7f56ef6acfb1559371f67c68ce9b8ab6078

SHA256
1905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e

SHA512
6edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
358897459512b9d5c2be170ec908d608

SHA1
e148b7f56ef6acfb1559371f67c68ce9b8ab6078

SHA256
1905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e

SHA512
6edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8c83aaf9a98d5a32d6213bc6b552925e

SHA1
6c36e784738f6ee769f055e7237d087af9db5341

SHA256
9b0a00e9f86bd22cfc30ddfe399d7284f0895bb8b5e8faf4207caf63459a3a17

SHA512
413a58e6a510199500458fe9abce3366401b9b83ed1f5190a8823de30c258a786add624fcfca9181570dc2ef8d6d95c7d87061221d014a7fa997917c22dd2421

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fmibpf4h.tqi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\z2aru1ck.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
11KB

MD5
a2e907bf8f4c9c90c5b270cd78d86556

SHA1
97751aedfaae7c181482f227c3ec558f8f63503d

SHA256
5ebb3f9a174483bbd163a5bae6a49adb9f21db1ca3a7126898dfd904d27ea7e1

SHA512
4718342f0c1a182d6c435129bca18413798384f8ba0d9a79d6453e4e1b2a3316b7f844b4b786862a20dd2d33816b162924e11b5dfdfe2df28be474d1b91b9786

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
11KB

MD5
a2e907bf8f4c9c90c5b270cd78d86556

SHA1
97751aedfaae7c181482f227c3ec558f8f63503d

SHA256
5ebb3f9a174483bbd163a5bae6a49adb9f21db1ca3a7126898dfd904d27ea7e1

SHA512
4718342f0c1a182d6c435129bca18413798384f8ba0d9a79d6453e4e1b2a3316b7f844b4b786862a20dd2d33816b162924e11b5dfdfe2df28be474d1b91b9786

Download Submit
memory/1648-10-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/1648-81-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-84-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/1648-9-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/1648-8-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/1648-100-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/1648-3-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/1648-0-0x0000000000150000-0x0000000000178000-memory.dmp

Filesize
160KB

Download
memory/1648-2-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-1-0x0000000002250000-0x000000000225E000-memory.dmp

Filesize
56KB

Download
memory/2020-94-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2020-47-0x000001C5FD9F0000-0x000001C5FDA00000-memory.dmp

Filesize
64KB

Download
memory/2020-52-0x000001C5FD9F0000-0x000001C5FDA00000-memory.dmp

Filesize
64KB

Download
memory/2020-46-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2020-80-0x000001C5FD9F0000-0x000001C5FDA00000-memory.dmp

Filesize
64KB

Download
memory/2332-31-0x00000243F4DC0000-0x00000243F4DE2000-memory.dmp

Filesize
136KB

Download
memory/2332-101-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2332-19-0x00000243F5090000-0x00000243F50A0000-memory.dmp

Filesize
64KB

Download
memory/2332-20-0x00000243F5090000-0x00000243F50A0000-memory.dmp

Filesize
64KB

Download
memory/2332-18-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-17-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-15-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/2820-14-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/3100-82-0x000001B702630000-0x000001B702640000-memory.dmp

Filesize
64KB

Download
memory/3100-92-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-78-0x000001B702630000-0x000001B702640000-memory.dmp

Filesize
64KB

Download
memory/3100-21-0x000001B702630000-0x000001B702640000-memory.dmp

Filesize
64KB

Download
memory/3100-75-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-76-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-83-0x000001C44B390000-0x000001C44B3A0000-memory.dmp

Filesize
64KB

Download
memory/3500-93-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-53-0x000001C44B390000-0x000001C44B3A0000-memory.dmp

Filesize
64KB

Download
memory/3500-79-0x000001C44B390000-0x000001C44B3A0000-memory.dmp

Filesize
64KB

Download
memory/3636-77-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-73-0x000001D565150000-0x000001D565160000-memory.dmp

Filesize
64KB

Download
memory/3636-97-0x00007FF9823E0000-0x00007FF982EA1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-59-0x000001D565150000-0x000001D565160000-memory.dmp

Filesize
64KB

Download