revengerat | 2f59d7e5e47ae34b47b80d35cabcb64b156c96be58c3a4af8933a3e2fc4e06f9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 05:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

VapeV4/Vape Launcher.exe
Size

60.0MB
MD5

06f5e5c7664b2a7722ab7ece37ba9c91
SHA1

e868ee80c5408d720793f9bf43e8d2e31c4f9aff
SHA256

a3defec2912ae679020714ef9be85775b4a5fd31be643f29258752b75eb918aa
SHA512

23f2a79bce0f816c97673a6f985615edfa7eca704a0155ff1137107564f2f4fa4547f2ba09b7dbba79537f1cd825019543b9d8a00f0743cec55ee85060adbcc8
SSDEEP

1572864:6HNfIc/bDS7YL3iUqekIR681ttq+NDVK3ZiFx4mdSG:6Zzz+7stopJwCmIG

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/memory/2216-34-0x000001EAE07B0000-0x000001EAE440A000-memory.dmp	Nirsoft

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000b0000000232f0-18.dat	revengerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Vape Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Server.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WD Defender.exe	vbc.exe

Executes dropped EXE 3 IoCs

pid	Process
2216	Vape Launcher.exe
1716	Server.exe
4004	WD.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe
2216	Vape Launcher.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	Server.exe
Token: SeDebugPrivilege	2216	Vape Launcher.exe
Token: SeDebugPrivilege	4004	WD.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2216	2760	Vape Launcher.exe	85
PID 2760 wrote to memory of 2216	2760	Vape Launcher.exe	85
PID 2760 wrote to memory of 1716	2760	Vape Launcher.exe	88
PID 2760 wrote to memory of 1716	2760	Vape Launcher.exe	88
PID 1716 wrote to memory of 4004	1716	Server.exe	97
PID 1716 wrote to memory of 4004	1716	Server.exe	97
PID 4004 wrote to memory of 464	4004	WD.exe	99
PID 4004 wrote to memory of 464	4004	WD.exe	99
PID 464 wrote to memory of 3912	464	vbc.exe	101
PID 464 wrote to memory of 3912	464	vbc.exe	101

C:\Users\Admin\AppData\Local\Temp\VapeV4\Vape Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\VapeV4\Vape Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\Vape Launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Roaming\WD.exe
    "C:\Users\Admin\AppData\Roaming\WD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4004
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3lnvwwes.cmdline"
      4⤵
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FC1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6659F860D5804E8BA321B2EBFB4452C.TMP"
        5⤵
        
        PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3lnvwwes.0.vb

Filesize
147B

MD5
1893f1685886a4c73281b32b22490c89

SHA1
413317abfc39873754fcfcf74a5720909266bf3c

SHA256
3335d87b3d8ffd8527eb5f02fda2ef802078a415ec0fd9b5ee569111e00d8c99

SHA512
b5968c611ee4435d3d29a7d96598c748e7c2e1b2c7ffa445fb0ec84fb234761c53ba96c7216e95d543455804fd34067783da8d9e65ef9bc6195a063fe83ae54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3lnvwwes.cmdline

Filesize
199B

MD5
026fe0a86939d6ce3527ff2a60ae3684

SHA1
cb227a078b692eaa99664548e3918e7ce903ad01

SHA256
59c1fd31b0022806d8f96c63e1d612dffacbec1de7aa7d6fb93d6ed855a2efb8

SHA512
e31e4f020fb47f7df77f39616c3d9690465d20b52eba5989047d2fdc58aa9281b47fbd01ab91a57bbb67cb8bc030af2317d7dca4584562f26261d1f7019ed75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4FC1.tmp

Filesize
1KB

MD5
3928ffaeff09a5a01a7b8a6d0be91aa2

SHA1
c67785f4d7af032151a539be625f93f4e3a84be9

SHA256
68187bb3f2070b3816fb896dac16cac94b9e8be022ec5d9d916bac00904c019f

SHA512
4851fbf6544008e049f68f87ef869fe983db1d778dbdec387d115e450957017c3cfd9aa9547806839dd55c711b5f9b1954ebae758e995388c4f8d0658ed8d4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
18KB

MD5
92a7871427944843f90b46fa2685eb6a

SHA1
d9c0e7a132fe3818cf69ccebef2d225c005132c2

SHA256
d4cd14f6ac8927c7cd79a7ec73197a8be20c1b090970a6cd10466bca3d2970b5

SHA512
d0182a0de8b5c39e211bd67c4d782a9fc66da5d8c660682b1381eb66e337bf0f34a0de63ecf697c318e8f8b80512ee4e0d52241978631a54b8262d17c543ebed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6659F860D5804E8BA321B2EBFB4452C.TMP

Filesize
660B

MD5
27eeeada22cba65d5e1826f9b6c81ca5

SHA1
905b0ef0420f6f23de635732d106e55cce4c84ac

SHA256
7046d372709ee88e4a6822f55d97a1fb65f55170f1ca86409b21428e8fcf4b40

SHA512
77c455774c93403e0325f6ae892190e06f07bf4333efa808c0646829d6848d7c8b218b4a802e56f7fb5101bdb189bc1cdb1fd73244a6714fa72ce88c0ed09dda

Download Submit
memory/1716-40-0x00007FFC704A5000-0x00007FFC704A6000-memory.dmp

Filesize
4KB

Download
memory/1716-30-0x000000001B8A0000-0x000000001BD6E000-memory.dmp

Filesize
4.8MB

Download
memory/1716-29-0x00007FFC701F0000-0x00007FFC70B91000-memory.dmp

Filesize
9.6MB

Download
memory/1716-31-0x000000001B2F0000-0x000000001B396000-memory.dmp

Filesize
664KB

Download
memory/1716-27-0x00007FFC704A5000-0x00007FFC704A6000-memory.dmp

Filesize
4KB

Download
memory/1716-32-0x000000001BE30000-0x000000001BE92000-memory.dmp

Filesize
392KB

Download
memory/1716-33-0x00007FFC701F0000-0x00007FFC70B91000-memory.dmp

Filesize
9.6MB

Download
memory/1716-54-0x00007FFC701F0000-0x00007FFC70B91000-memory.dmp

Filesize
9.6MB

Download
memory/1716-41-0x00007FFC701F0000-0x00007FFC70B91000-memory.dmp

Filesize
9.6MB

Download
memory/2216-36-0x000001EAE47C0000-0x000001EAE47F2000-memory.dmp

Filesize
200KB

Download
memory/2216-37-0x000001EA80C60000-0x000001EA80C7C000-memory.dmp

Filesize
112KB

Download
memory/2216-38-0x000001EA80C80000-0x000001EA80C86000-memory.dmp

Filesize
24KB

Download
memory/2216-39-0x00007FFC74610000-0x00007FFC750D1000-memory.dmp

Filesize
10.8MB

Download
memory/2216-35-0x000001EAFE8D0000-0x000001EAFEA46000-memory.dmp

Filesize
1.5MB

Download
memory/2216-34-0x000001EAE07B0000-0x000001EAE440A000-memory.dmp

Filesize
60.4MB

Download
memory/2216-25-0x00007FFC74610000-0x00007FFC750D1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-0-0x00007FFC74613000-0x00007FFC74615000-memory.dmp

Filesize
8KB

Download
memory/2760-28-0x00007FFC74610000-0x00007FFC750D1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-2-0x00007FFC74610000-0x00007FFC750D1000-memory.dmp

Filesize
10.8MB

Download
memory/2760-1-0x0000000000A00000-0x000000000460A000-memory.dmp

Filesize
60.0MB

Download