revengerat | 2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6

General

Target

c6f541377263694b92f3f6d72de7fb17.exe
Size

56KB
MD5

c6f541377263694b92f3f6d72de7fb17
SHA1

3fa80edb1e9d07afab32c45c19a2997c154b4a55
SHA256

2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
SHA512

af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798
SSDEEP

768:4OGoLGlaB2HyuJOIyVvsBWXuIsegP2j7RhgDQHorUkgZU++NNPqtUA2TVzYcHe+Z:Ioyll9OIyscX5sen7RQTYknVNPqtR+

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\zsvchost.exe	revengerat

Drops startup file 6 IoCs

Processes:

vbc.exezsvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost	zsvchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost	zsvchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.lnk	zsvchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09Client.URL	zsvchost.exe

Executes dropped EXE 1 IoCs

Processes:

zsvchost.exe

pid process

2032 zsvchost.exe
Loads dropped DLL 2 IoCs

Processes:

c6f541377263694b92f3f6d72de7fb17.exezsvchost.exe

pid process

2292 c6f541377263694b92f3f6d72de7fb17.exe
2032 zsvchost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2032	zsvchost.exe

pid	process
2292	c6f541377263694b92f3f6d72de7fb17.exe
2032	zsvchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

zsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\zsvchost.exe"	zsvchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c6f541377263694b92f3f6d72de7fb17.exezsvchost.exe

description pid process

Token: SeDebugPrivilege 2292 c6f541377263694b92f3f6d72de7fb17.exe
Token: SeDebugPrivilege 2032 zsvchost.exe

description	pid	process
Token: SeDebugPrivilege	2292	c6f541377263694b92f3f6d72de7fb17.exe
Token: SeDebugPrivilege	2032	zsvchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c6f541377263694b92f3f6d72de7fb17.exezsvchost.exevbc.exe

description	pid	process	target process
PID 2292 wrote to memory of 2032	2292	c6f541377263694b92f3f6d72de7fb17.exe	zsvchost.exe
PID 2292 wrote to memory of 2032	2292	c6f541377263694b92f3f6d72de7fb17.exe	zsvchost.exe
PID 2292 wrote to memory of 2032	2292	c6f541377263694b92f3f6d72de7fb17.exe	zsvchost.exe
PID 2292 wrote to memory of 2032	2292	c6f541377263694b92f3f6d72de7fb17.exe	zsvchost.exe
PID 2032 wrote to memory of 1664	2032	zsvchost.exe	vbc.exe
PID 2032 wrote to memory of 1664	2032	zsvchost.exe	vbc.exe
PID 2032 wrote to memory of 1664	2032	zsvchost.exe	vbc.exe
PID 2032 wrote to memory of 1664	2032	zsvchost.exe	vbc.exe
PID 1664 wrote to memory of 1812	1664	vbc.exe	cvtres.exe
PID 1664 wrote to memory of 1812	1664	vbc.exe	cvtres.exe
PID 1664 wrote to memory of 1812	1664	vbc.exe	cvtres.exe
PID 1664 wrote to memory of 1812	1664	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe
"C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Roaming\zsvchost.exe
"C:\Users\Admin\AppData\Roaming\zsvchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4490.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc448F.tmp"
4⤵
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4490.tmp
Filesize
1KB

MD5
4c959e2c4f0b812236eaf9b410acc22d

SHA1
4bd78dd3777fd88f3e46dd805175abe0e5f094f5

SHA256
1625b12ec08a35cfe00e468ae9e452f1667c5c55e62e1f85bd5aea3cd4c75d28

SHA512
0ec53af70271d803dc269f53daaa556876481486cb114795eb18a55bda8a209165de17203d87fad29c4091173e09dd88b3f2ec0dc7f6c969b847c9b4e518fa81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.0.vb
Filesize
152B

MD5
5b68ebfdc7b748c3184d311b9d2cfb18

SHA1
26c52050e13a65bf8acdb09e96c6151f59ff1c0d

SHA256
42080924e0930393b885d864c9ef9d9710ec6e134780a0355e3682099ffc1ad8

SHA512
91b0171ef91c36d9a276ed199571a0d620d9a0435a8108d1fff116ba6d941f1c7cf672a9d76d66474f0868d270c3663b6502df934196981d013120705f479840

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfvt6cpb.cmdline
Filesize
194B

MD5
4f6d62a9e8e7853c5a60ae47146cd938

SHA1
61a2edd915f8bf180f10f62fef1c5ea4a39a4d85

SHA256
c39ebe9d4661564b5ce261b915df0a7f13653e1f7b657c13aa78d6f10049a5ca

SHA512
4042c2f76f5c92af29cca56cf6b389348dab260918bf61d342fcf696fbeab7d957d51b3ee19376c2205d56427fb9a23821a16ff6bd254e48f0029b0a841baee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc448F.tmp
Filesize
660B

MD5
18d32c179a2248e73714478d2dc06a39

SHA1
a36e3f5259c633f740943b4c621ee7394ad035be

SHA256
97405159393a506a3ed346197a0c9bb0c961d06616d79d40466f45fa2623bcc7

SHA512
fd54b7cbcf6b7de721224791d795f69fd468e34d6c0dbece35ed71a3d17c4b4ca06346b83644d3d1c070df25fda1bcdcc424e3a922569b2bace8a65c5936e29e

Download Submit
\Users\Admin\AppData\Roaming\zsvchost.exe
Filesize
56KB

MD5
c6f541377263694b92f3f6d72de7fb17

SHA1
3fa80edb1e9d07afab32c45c19a2997c154b4a55

SHA256
2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6

SHA512
af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798

Download Submit
memory/1664-30-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2032-14-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-15-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-16-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-13-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-0-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-5-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2292-4-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-3-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-1-0x0000000074570000-0x0000000074B1B000-memory.dmp

Filesize
5.7MB

Download
memory/2292-2-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads