revengerat | 48d3f34a87180d7b45c21075a1eac7cbe09062cf773aebeb00c556143546a330

General

Target

All-in-One Checker/All-in-One Checker.exe
Size

1.6MB
MD5

ac75a2a8f6c389474016245df20b9534
SHA1

47db5f6215d6c4817b6508db94123764fd4acc0d
SHA256

e6b4c080dde0b5fa4291070e60a9fc779ef03c198ec4f99150c454a29534dccf
SHA512

ee5d52d49fefbbb660e1a924861c5b88717a81889383852e047c4fbcace4b0313a8096792f02bc1fc2758160d6551a61cfb7bc0e8c341118ee6d46c059997201
SSDEEP

49152:ZIxhRNN2eNLk00huhmNF7XcJ45sfgrXRSa:eRJo0Wu8NFZ5sfgrga

Score

10^/10

revengerat microsoft .net framework servcies persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Microsoft .Net Framework Servcies

C2

uogapk3.ddns.net:2222

uogapk4.ddns.net:2222

uogapk5.ddns.net:2222

uogapk6.ddns.net:2222

uogapk7.ddns.net:2222

uogapk8.ddns.net:2222

uogapk9.ddns.net:2222

uogapk10.ddns.net:2222

uogapk11.ddns.net:2222

uogapk12.ddns.net:2222

uogapk13.ddns.net:2222

uogapk14.ddns.net:2222

uogapk15.ddns.net:2222

uogapk16.ddns.net:2222

uogapk17.ddns.net:2222

uogapk18.ddns.net:2222

uogapk19.ddns.net:2222

uogapk20.ddns.net:2222

uogapk21.ddns.net:2222

uogapk22.ddns.net:2222

Mutex

RV_MUTEX-cdhKbhoxlCIvg

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2292-20-0x0000000000350000-0x0000000000370000-memory.dmp	revengerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logs.lnk	UAC.exe

Executes dropped EXE 3 IoCs

pid	Process
1632	All-in-One Checker.exe
2292	Microsof.exe
2304	UAC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\UAC = "C:\\Users\\Admin\\AppData\\Roaming\\UAC.exe"	UAC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2216	All-in-One Checker.exe
2216	All-in-One Checker.exe
2216	All-in-One Checker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	All-in-One Checker.exe
Token: SeDebugPrivilege	2292	Microsof.exe
Token: SeDebugPrivilege	2304	UAC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1632	All-in-One Checker.exe
1632	All-in-One Checker.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1632	All-in-One Checker.exe
1632	All-in-One Checker.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1632	2216	All-in-One Checker.exe	28
PID 2216 wrote to memory of 1632	2216	All-in-One Checker.exe	28
PID 2216 wrote to memory of 1632	2216	All-in-One Checker.exe	28
PID 2216 wrote to memory of 1632	2216	All-in-One Checker.exe	28
PID 2216 wrote to memory of 2292	2216	All-in-One Checker.exe	29
PID 2216 wrote to memory of 2292	2216	All-in-One Checker.exe	29
PID 2216 wrote to memory of 2292	2216	All-in-One Checker.exe	29
PID 2292 wrote to memory of 2304	2292	Microsof.exe	31
PID 2292 wrote to memory of 2304	2292	Microsof.exe	31
PID 2292 wrote to memory of 2304	2292	Microsof.exe	31

C:\Users\Admin\AppData\Local\Temp\All-in-One Checker\All-in-One Checker.exe
"C:\Users\Admin\AppData\Local\Temp\All-in-One Checker\All-in-One Checker.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\All-in-One Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\All-in-One Checker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\Microsof.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsof.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\AppData\Roaming\UAC.exe
    "C:\Users\Admin\AppData\Roaming\UAC.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\All-in-One Checker.exe

Filesize
2.2MB

MD5
db3b640c51ac0883ed4326efd068459c

SHA1
bfb9476e98aa56bfcf68190bf6c191b8e28058e4

SHA256
1571c83b0c8bb5a4e0728896553836101354fa899056943673c23dcb951a4932

SHA512
f80fabf7a9ca5156509a612081ae106d1b89b92dd460df09bc8bef5dc3318865caf3813fb7e2e88480cdf3cd1fdc5ae3cc45003f2dfc3229de49e112bc89158d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsof.exe

Filesize
140KB

MD5
78c721bdd2c605c2e34e7b763da45185

SHA1
f2ed36905bc1d3b73ad363fa4decc107226d5af7

SHA256
3e173eb871a7e89f10e195f140c1daa9d612fd46efe5bae02ba0eddc2df2b33a

SHA512
ab77eea66a43984f1e45085e61c57585e0ab3048a66ab8456f3fa0ad33edb34b1f732e71a77fdf75af1ce1264ae2f53dac8f0a463025252bfb08fbafa0285d00

Download Submit
memory/1632-21-0x0000000000030000-0x0000000000268000-memory.dmp

Filesize
2.2MB

Download
memory/1632-25-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1632-29-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1632-28-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1632-27-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/1632-26-0x0000000000690000-0x000000000069A000-memory.dmp

Filesize
40KB

Download
memory/1632-24-0x0000000000620000-0x000000000064C000-memory.dmp

Filesize
176KB

Download
memory/1632-22-0x0000000007050000-0x0000000007154000-memory.dmp

Filesize
1.0MB

Download
memory/1632-23-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2216-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/2216-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-18-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-1-0x0000000000E20000-0x0000000000FB6000-memory.dmp

Filesize
1.6MB

Download
memory/2292-20-0x0000000000350000-0x0000000000370000-memory.dmp

Filesize
128KB

Download
memory/2292-19-0x0000000000BD0000-0x0000000000BFA000-memory.dmp

Filesize
168KB

Download
memory/2304-35-0x0000000001270000-0x000000000129A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads