revengerat | 2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6

General

Target

c6f541377263694b92f3f6d72de7fb17.exe
Size

56KB
MD5

c6f541377263694b92f3f6d72de7fb17
SHA1

3fa80edb1e9d07afab32c45c19a2997c154b4a55
SHA256

2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6
SHA512

af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798
SSDEEP

768:4OGoLGlaB2HyuJOIyVvsBWXuIsegP2j7RhgDQHorUkgZU++NNPqtUA2TVzYcHe+Z:Ioyll9OIyscX5sen7RQTYknVNPqtR+

Score

10^/10

revengerat persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\zsvchost.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c6f541377263694b92f3f6d72de7fb17.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	c6f541377263694b92f3f6d72de7fb17.exe

Drops startup file 6 IoCs

Processes:

zsvchost.exevbc.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost	zsvchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost	zsvchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.lnk	zsvchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09Client.URL	zsvchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\09svcchost.exe	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

zsvchost.exe

pid process

4676 zsvchost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4676	zsvchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

zsvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\zsvchost.exe"	zsvchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c6f541377263694b92f3f6d72de7fb17.exezsvchost.exe

description pid process

Token: SeDebugPrivilege 1000 c6f541377263694b92f3f6d72de7fb17.exe
Token: SeDebugPrivilege 4676 zsvchost.exe

description	pid	process
Token: SeDebugPrivilege	1000	c6f541377263694b92f3f6d72de7fb17.exe
Token: SeDebugPrivilege	4676	zsvchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c6f541377263694b92f3f6d72de7fb17.exezsvchost.exevbc.exe

description	pid	process	target process
PID 1000 wrote to memory of 4676	1000	c6f541377263694b92f3f6d72de7fb17.exe	zsvchost.exe
PID 1000 wrote to memory of 4676	1000	c6f541377263694b92f3f6d72de7fb17.exe	zsvchost.exe
PID 1000 wrote to memory of 4676	1000	c6f541377263694b92f3f6d72de7fb17.exe	zsvchost.exe
PID 4676 wrote to memory of 2320	4676	zsvchost.exe	vbc.exe
PID 4676 wrote to memory of 2320	4676	zsvchost.exe	vbc.exe
PID 4676 wrote to memory of 2320	4676	zsvchost.exe	vbc.exe
PID 2320 wrote to memory of 5040	2320	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 5040	2320	vbc.exe	cvtres.exe
PID 2320 wrote to memory of 5040	2320	vbc.exe	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe
"C:\Users\Admin\AppData\Local\Temp\c6f541377263694b92f3f6d72de7fb17.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Admin\AppData\Roaming\zsvchost.exe
"C:\Users\Admin\AppData\Roaming\zsvchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gaxaszel.cmdline"
3⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB53DD25A86EC445F8321F47F673D3B17.TMP"
4⤵
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4FA2.tmp
Filesize
1KB

MD5
8f0d5a06d5e8dcb8501d9432cd26fd8c

SHA1
66d9926a2418ee6a90e45d31ba9bc576c5c2447c

SHA256
6983bc3c356d860891e9217327c238f9863285d365b709f64879cca57b95ea8f

SHA512
9cd1b3da1f25cd1883d5f2ca06d153e426968d4803292f0cc16e47dbd13ede6df239dd2b30d3395caf916dfb70e3d06c88539350d7a4e2aa9144fe440d841c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaxaszel.0.vb
Filesize
152B

MD5
5b68ebfdc7b748c3184d311b9d2cfb18

SHA1
26c52050e13a65bf8acdb09e96c6151f59ff1c0d

SHA256
42080924e0930393b885d864c9ef9d9710ec6e134780a0355e3682099ffc1ad8

SHA512
91b0171ef91c36d9a276ed199571a0d620d9a0435a8108d1fff116ba6d941f1c7cf672a9d76d66474f0868d270c3663b6502df934196981d013120705f479840

Download Submit
C:\Users\Admin\AppData\Local\Temp\gaxaszel.cmdline
Filesize
194B

MD5
210bd127268325ed2829ee5e71016a98

SHA1
533be3796d7974a3b660e0a73c10c19801200986

SHA256
27e27faea031109d375f26a448bd204669bd605cbeec17c5c69ab0cfd74d85ca

SHA512
d2112b9b75bd1d7ba3ed53669232d09264acf138029ed0b54bd884ded8dc0c1254571246bad186637f4e16245f7bddcbe9f742d8880e78cdcc3ba8d4371a4d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB53DD25A86EC445F8321F47F673D3B17.TMP
Filesize
660B

MD5
18d32c179a2248e73714478d2dc06a39

SHA1
a36e3f5259c633f740943b4c621ee7394ad035be

SHA256
97405159393a506a3ed346197a0c9bb0c961d06616d79d40466f45fa2623bcc7

SHA512
fd54b7cbcf6b7de721224791d795f69fd468e34d6c0dbece35ed71a3d17c4b4ca06346b83644d3d1c070df25fda1bcdcc424e3a922569b2bace8a65c5936e29e

Download Submit
C:\Users\Admin\AppData\Roaming\zsvchost.exe
Filesize
56KB

MD5
c6f541377263694b92f3f6d72de7fb17

SHA1
3fa80edb1e9d07afab32c45c19a2997c154b4a55

SHA256
2f254906129ccf4a7f769a41252699f3865202dbd4484aac4ea957f08d3fa3d6

SHA512
af81cdf8d211ba33b782f48f62ae37241acc703ff522e3c9cc916fa4cbd357f6bd32896ea79a134409cd2f52df8ec73b2634ed60f728dde8c83bb6cd3a118798

Download Submit
memory/1000-1-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/1000-2-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-3-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-14-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/1000-0-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/2320-30-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/4676-15-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/4676-17-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/4676-16-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download
memory/4676-13-0x0000000074E30000-0x00000000753E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads