revengerat | 7311a31fa32003d435c6f440323b72f439340d7ef8b59bdb1afb642f8b59510a

General

Target

e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
Size

1.5MB
MD5

e550ff5183f85d599a6529d6c9a7f970
SHA1

f69323ad6c1721b6fda1a8a13d35a99603a121d5
SHA256

7311a31fa32003d435c6f440323b72f439340d7ef8b59bdb1afb642f8b59510a
SHA512

12d01994c5dc013a116092eff946aefd19e78460bb20448c87598d1d3075e5eedab7aa499b4fc44cded68273b2f4bce0b13132c0ec2b161b6de013c91edabdfe
SSDEEP

24576:4q5TfcdHj4fmb12q2jzKJ9TtrQB1iRIuawWI4FzQJ9TtFO85NVU/1awS+M:4UTsamJxF5TawD5G1awA

Score

10^/10

revengerat stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x002d000000014a55-4.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2588	dmr_72.exe

Loads dropped DLL 4 IoCs

pid	Process
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2196-0-0x00000000001A0000-0x00000000004C0000-memory.dmp	upx
behavioral1/memory/2196-25-0x00000000001A0000-0x00000000004C0000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2196-25-0x00000000001A0000-0x00000000004C0000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
2588	dmr_72.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	dmr_72.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2588	dmr_72.exe
2588	dmr_72.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2588	2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2588	2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2588	2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe	28
PID 2196 wrote to memory of 2588	2196	e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe	28

C:\Users\Admin\AppData\Local\Temp\e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e550ff5183f85d599a6529d6c9a7f970_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
  "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54378657 -chipderedesign -13a51bf7eb354ce98f66ddee7e320b61 - -BLUB2 -laxadzmkmhvocxdb -2196
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\laxadzmkmhvocxdb.dat

Filesize
198B

MD5
da38f952c42b0c514c77f15f5be4c4a1

SHA1
17dab6dd5952a7530748bce9357f4b55b581dbd9

SHA256
825dc4f2ba6b58e2c4ed81a00019d0cbed9efc798fb29d5eed365c1535ba0000

SHA512
a653013afcb50e169e6301c0b64421015b248513615bcf542fe8554896e6e989f3423e635bc5ad260b4f1d7c3b75c72e94d7e02a87e61defa91345c4b101f8bf

Download Submit
\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
542KB

MD5
eef396a9d8d96cf6a7bee4574ce281b0

SHA1
20f125cd1d129ee06538d067ed6136f0cbc4cb7a

SHA256
34c535c27c06ad0d9e1c740e24610538dcf6186e2bf8bed70cc2df67d9394b7c

SHA512
d173d2b04dfe0a1157f6a572c36307b0972a611a3b0e02c17e8f96ad37b7482aca6664e1664c09cebd77fb7dbe0e114805bb3eb4f809c4fabc91ae482cb4ca56

Download Submit
memory/2196-0-0x00000000001A0000-0x00000000004C0000-memory.dmp

Filesize
3.1MB

Download
memory/2196-25-0x00000000001A0000-0x00000000004C0000-memory.dmp

Filesize
3.1MB

Download
memory/2588-16-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/2588-17-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/2588-19-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-20-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-21-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-22-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-23-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2588-26-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing