revengerat | 3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446

Analysis

max time kernel
92s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
01-04-2024 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
Size

1.4MB
MD5

5673c04d81969a6603184069b6846213
SHA1

49fdd9c69f1c281d94486029dfaa5108dfc168bf
SHA256

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446
SHA512

c381630f7c9c72ca538679bef37b9e966ec2f906bd5eb36a42069e3742ddd57bd958d867ede257edc3244e40fa3a6c65c10cddd07dddfd89cc2085eef13291cb
SSDEEP

24576:rq5TfcdHj4fmb9Ve9u2qTPIMeYyBMLlQjzCEzKJ9TtLzCwn1jAh0zQJ9TtDRli:rUTsamC9uxKjY5x1jAF5i

Score

10^/10

revengerat stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

dmr_72.exe

pid process

1188 dmr_72.exe

pid	process
1188	dmr_72.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2776-0-0x0000000000800000-0x0000000000AFD000-memory.dmp	upx
behavioral1/memory/2776-19-0x0000000000800000-0x0000000000AFD000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2776-19-0x0000000000800000-0x0000000000AFD000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

pid	process
2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

pid process

2776 3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dmr_72.exe

description pid process

Token: SeDebugPrivilege 1188 dmr_72.exe

description	pid	process
Token: SeDebugPrivilege	1188	dmr_72.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

pid	process
2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

pid	process
2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dmr_72.exe

pid process

1188 dmr_72.exe
1188 dmr_72.exe

pid	process
1188	dmr_72.exe
1188	dmr_72.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe

description	pid	process	target process
PID 2776 wrote to memory of 1188	2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe	dmr_72.exe
PID 2776 wrote to memory of 1188	2776	3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe	dmr_72.exe

C:\Users\Admin\AppData\Local\Temp\3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe
"C:\Users\Admin\AppData\Local\Temp\3a6e2de5b3de6e67229b11f6d74a4f9af70ccec85c2573a905df5a1f84a35446.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54417509 -chipderedesign -a80c61fa351a416282afb39d6c109d6c - -BLUB2 -klzstdmrzvclclwg -2776
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
Filesize
508KB

MD5
da9e9a98a7cf8da14f9e3c9973328fb7

SHA1
42e37cbfa37877d247ebd37d9553cb6224d6bee6

SHA256
c1116053bbac19ab273dc120c2984c235d116cdcc9e3ac437951b55465fd7063

SHA512
ce98f1984a3db301df7c1078dc6014fc1a03a1643c5635ef59775ee8019fbae4e07c16e99ec3d1998f45947d57493ada96e5116c359a590b14573833eec17343

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMR\klzstdmrzvclclwg.dat
Filesize
161B

MD5
c800879c1c73dbbb198fc42669646aa7

SHA1
ab63307099961d43ebb2b64809b7f39d030bab7b

SHA256
4c4dd62b579e43dc1c4cf859299df3023409492281f173bc5c3d2cc00bb782d7

SHA512
0bc20e0c61f46a6c8eb0d8c276edc1f1901ac2f2800199d78490ba0b3c096e4cbf08a175ee19f663d7c13d56e7b6852f32478ea6c85f7829f6fd2880023213df

Download Submit
C:\Users\Admin\Desktop\InvokeImport.mpp
Filesize
868KB

MD5
2eb6be031eb95e3a66144edecf343ad2

SHA1
43f4b2003a7372e918a1eee415b0c9e75f49a7d5

SHA256
ea4bad0e456a9d034cbdf6e1c20e7ba585ff8f468107e671ce9a4213a134e9cb

SHA512
7b69ba49a1c70980417ee4b26bc7e86bd9d6459b1a4cd41f0267aba1b7ed7d3571c3621451345c11e3cf9ec516cf8ecb10496399d8cef18062e7e58e6ce29d55

Download Submit
C:\Users\Admin\Desktop\OptimizeRepair.3g2
Filesize
794KB

MD5
a1423b1c6c81b243f24cae651d95a01f

SHA1
f98379ddfdcb3b02f5e83838270ff9e6fe4c46f1

SHA256
19391691ddf1954382733beac9f17eb9e9b33801d98aa46745430c177d8c9e40

SHA512
5fc0bafb6cf0be40266721a75e96ffc8712db62ca7e9748bc010bc67541a897a1de4b8dbd6341a74fe271bf511519b1ec74c4a358b9ea91eae8826d59dc525bb

Download Submit
C:\Users\Admin\Desktop\PopDeny.tiff
Filesize
372KB

MD5
e4814df2631b0076142166c75e51e520

SHA1
3a160e22358ca60e99d5be81562fa1964b51b7f1

SHA256
5afaea43e532d8ba0dfc5ec408e77f498f1c134c97a38236ff3001dc247cd002

SHA512
8056bfcd2ef40472ebb6c74f30efb00e7926d1514fb7269586d91c265f4960644b5be210b783d991339752c7b5850a29f4d5606fe3977e9a070293aa9d795336

Download Submit
C:\Users\Admin\Desktop\ProtectDeny.tif
Filesize
719KB

MD5
7a7f4a953bb307581fdcca6fe659733a

SHA1
ce3c71323afd34a9f1151f8f33b98b1d91b40354

SHA256
b2d8fc1f3a080ccfc0e46c9f9a5df5806a3bc1dd37e5cc835aebe50c76930393

SHA512
6507b50d6682a678a4693de87b1c03a0464413674fc123af4dd98f2127241fa96334abd190348e4e2d46308f8ccb91911246a16bd4ba9f0e319654c2598357e6

Download Submit
C:\Users\Admin\Desktop\ProtectEnter.jpg
Filesize
1.3MB

MD5
95286eb21517f00a55f89ec4567dec4b

SHA1
1b0215fba9312a9830c92c58371487ee691c14c6

SHA256
279ef08324e74128432f15c26ba78a9b2c992fbc84c4f18bf8cd12a39fd4f74c

SHA512
b8febfb237f443c76fd1cb0b3c28d94565570d9129a4ecd789885583c45ec24c8cc1eda114986852e684684bd40aa86521e74a1a8d0185d8295ecf8d81346699

Download Submit
C:\Users\Admin\Desktop\PublishMove.vsdm
Filesize
521KB

MD5
6a683e9df2d4f3a9b6771829ad658b08

SHA1
261a87ac921c7e7ad18e1a6342dfb855d51e8271

SHA256
08a763ef0e0bf1954f01b6df2dc68be4f80be241ed550a5397f81e64bd274716

SHA512
5ccdda3bd85f9d69bed93307537b578ac520ff4744c00e7921c04caa9ffe29c4010e68e946dcac58a775c4fa35557311eed9f9255beb2a93731b12ec23e553e8

Download Submit
C:\Users\Admin\Desktop\PushEnable.avi
Filesize
967KB

MD5
352dbdae88ae5d28de634b466b838fb0

SHA1
1d9defd61ede55a69d075b501cf00a1a1c6c7d2d

SHA256
6aa6ae1adf686f868fb5f21dec4b361c1d407097dd0c384e3400f022bdb7d0d7

SHA512
c15716b75881c8eeffde84ad321dc864df168d35254659c84d425bdf11ebbf198751e9df182ff26be929a94153863ada136f085338fb1012b4fe041a4cdb09d5

Download Submit
C:\Users\Admin\Desktop\RegisterDismount.m4a
Filesize
818KB

MD5
133fa0a52ccde588cd6bd7f9d547439c

SHA1
0a840aae8c9b7895353ad854f53b976fc3ba85ef

SHA256
df401fa75018bc9d7d9910ca404383c8796bb926e37554b83fc8bce95ae85905

SHA512
246fb4267f53ec9432ddf8fe0d80a2abf35b427373142fbcecf45c59cf83b542f47ccfcbfaf2ff44ffed41df9b31c1734c51ce1fb65c864eb6b0756e7f5b8e98

Download Submit
C:\Users\Admin\Desktop\RequestDismount.xht
Filesize
670KB

MD5
1f79785272175273357a3aa667357cfa

SHA1
d57d893853704ab727006d3ac1fa423ac22d10d9

SHA256
0c637954ec2f3e9b6cbecd41e0c712af31233146db70a7c4277596ac92f3e38c

SHA512
6881d2c2d3913ae87d2085fbd846b3f621a9555b4d2210ef576c0b37fca29d9f1f671e0fbe032f296b7e741a8d64fcb1c8421f2259c9244e17dd081605088a6f

Download Submit
C:\Users\Admin\Desktop\ResizeProtect.dll
Filesize
992KB

MD5
cea8befcecc3ae18e747334fbc8298a1

SHA1
cd561790dc1b0ff829c04940a8aa00c6bf548cc2

SHA256
4d7f9848fa3706a7a9328ffa7452e16c51b0f7c563464916d680754c520a6b37

SHA512
925866effe8dfd96412001998f3c2184b97248015df63124cd24117ff3a7bab4c53fc4e2385566a24cf655d0ec8ea3ac88d7716425dc2144044bafa2bed534e9

Download Submit
C:\Users\Admin\Desktop\ResumeReset.emf
Filesize
918KB

MD5
2f49cf5e59a738dd484ff4789f4f8b79

SHA1
3c47227faadda2bed397ef402bfe0bf9a50bba93

SHA256
5cb228bc13a4afa6e51e5099a23a5bdf7ac3c6aff6b8efe1228a1a57dbba2f83

SHA512
63296ae7f8243795c0ddab71e345fb8fe2c56efa5e78a20f221c1403fd08e19a7c36c457d58fa818760fba2cc9dd228a1de7481727fc417e8520ac0e0dad9364

Download Submit
C:\Users\Admin\Desktop\UnlockStart.au3
Filesize
446KB

MD5
19acf120a7ff2fd8d029a332d07d9b1f

SHA1
842b5f370047b6c13d11fb63e010cf61a2646a0d

SHA256
49f3d3218f1a8b4a051009b6d8cec9ab600deeb12f11b31770ce996cbd3e24cc

SHA512
bfb19807442ef935db90606f3c3e85dc3571c7cd4901a9665a1242dda3015d6e34c153055c8204ad5518e8432afb3540af7217a89d7a75474fb44b853fdb7674

Download Submit
C:\Users\Admin\Desktop\WatchInstall.rle
Filesize
645KB

MD5
893983a2bf9d129acdc771f4e7c660e4

SHA1
05f63c5a155c8d4377ce24a11172d947d389b4dc

SHA256
4a9534ebd43f9e427ff827e1eb85c22a7d809fa918e828e86c6bca46ca3225ec

SHA512
0e4c60cc68c90dece2d01de264bd72ca342103cb54b8bf25f7998bbe21cd0a0c1992617f43a4abf84d837985041156412ab0458444c7ab5b4ef9b3b881b6cdf5

Download Submit
memory/1188-18-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/1188-21-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/1188-27-0x000000001B350000-0x000000001B503000-memory.dmp

Filesize
1.7MB

Download
memory/1188-25-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/1188-24-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/1188-23-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/1188-22-0x00007FF8292B0000-0x00007FF829D72000-memory.dmp

Filesize
10.8MB

Download
memory/1188-28-0x00007FF8292B0000-0x00007FF829D72000-memory.dmp

Filesize
10.8MB

Download
memory/1188-20-0x000000001B350000-0x000000001B503000-memory.dmp

Filesize
1.7MB

Download
memory/1188-14-0x00007FF8292B0000-0x00007FF829D72000-memory.dmp

Filesize
10.8MB

Download
memory/1188-13-0x0000000000570000-0x00000000005F4000-memory.dmp

Filesize
528KB

Download
memory/1188-17-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/1188-15-0x000000001B200000-0x000000001B210000-memory.dmp

Filesize
64KB

Download
memory/2776-0-0x0000000000800000-0x0000000000AFD000-memory.dmp

Filesize
3.0MB

Download
memory/2776-19-0x0000000000800000-0x0000000000AFD000-memory.dmp

Filesize
3.0MB

Download