revengerat | 244bf22d73da3d7fb884b0ef1fa3c4d431045e4ef0b5e9f5ac0610cf17ef222d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe
Size

1.1MB
MD5

6ad6de8528a64df30dd75e62e7bd911f
SHA1

1ee295a4d786978d902a2f3676f80e37301d7225
SHA256

244bf22d73da3d7fb884b0ef1fa3c4d431045e4ef0b5e9f5ac0610cf17ef222d
SHA512

ac84190e662f1e904c7f29a500dead32ed2efe0edacfebc06c8154acdd243667f348116030f9d03fc89b40fb4b70b51f42c90ce6beef1f8d9f0448904494172f
SSDEEP

24576:2q5TfcdHj4fmb12q30MmV0VMXLG3on1Gx1s4oo5osSxU:2UTsamhxxo1no5oK

Score

10^/10

revengerat stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023409-6.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3504	dmr_72.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1744-0-0x0000000000820000-0x0000000000A96000-memory.dmp	upx
behavioral2/memory/1744-20-0x0000000000820000-0x0000000000A96000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1744-20-0x0000000000820000-0x0000000000A96000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3504	dmr_72.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe
1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe
1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe
1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe
1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3504	dmr_72.exe
3504	dmr_72.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 3504	1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe	84
PID 1744 wrote to memory of 3504	1744	6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ad6de8528a64df30dd75e62e7bd911f_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
  "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54490388 -chipde -fb225e30562b49f8ae1a2637bc40019b - -BLUB2 -bpzwskqnaevsuroc -1744
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\bpzwskqnaevsuroc.dat

Filesize
175B

MD5
ad3e7e2c2f6bba192630090a0c7075d8

SHA1
7d991e78ad89aefcfc21a3c213c847981037c08b

SHA256
19de0569ec7610fabf6f921f19e357104cbcc498a620919d12b740e2e39d62e7

SHA512
e3c8ab0146539f882e90443c008bf6b32780efa36d8244fbe59898b46b8d95536a38f857d105df8290587cce29048a1f155f98520a49bef9e18683348ce82f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
373KB

MD5
7563de18185a34b3717528c1f18f0e60

SHA1
4e5e8b54dda603d7e83f3ede2bcdd8064d4edf22

SHA256
266b2766df8a91a8baa41ae47b5cbe03e80023516c6c69613ebf956b2574e82d

SHA512
2ea8afc613bb175a5399045017f306d12da1d300c443570039937896b66fffa346baaba46d2a7b45817db955fc4d86dc6e658677bfe30ef74355a0cef7ea6cbb

Download Submit
memory/1744-0-0x0000000000820000-0x0000000000A96000-memory.dmp

Filesize
2.5MB

Download
memory/1744-20-0x0000000000820000-0x0000000000A96000-memory.dmp

Filesize
2.5MB

Download
memory/3504-14-0x00007FFE39883000-0x00007FFE39885000-memory.dmp

Filesize
8KB

Download
memory/3504-13-0x0000000000F80000-0x0000000000FE2000-memory.dmp

Filesize
392KB

Download
memory/3504-16-0x00007FFE39880000-0x00007FFE3A341000-memory.dmp

Filesize
10.8MB

Download
memory/3504-17-0x00007FFE39880000-0x00007FFE3A341000-memory.dmp

Filesize
10.8MB

Download
memory/3504-18-0x00007FFE39880000-0x00007FFE3A341000-memory.dmp

Filesize
10.8MB

Download
memory/3504-19-0x00007FFE39880000-0x00007FFE3A341000-memory.dmp

Filesize
10.8MB

Download
memory/3504-22-0x00007FFE39880000-0x00007FFE3A341000-memory.dmp

Filesize
10.8MB

Download