revengerat | 1f9159f350d807216525b3b66262a77bc316e504a5ca2be4494157bfce320041

General

Target

Windows 10 Setup Tool - CHIP-Installer.exe
Size

1.5MB
MD5

9ac8e5d5cd3a2f24d73cd53f300d500a
SHA1

3e58d58abbf0803b5bdaf505a948ea2aa7302cb1
SHA256

ea82f1c9c0b0f71f3ef15ca54e6b805e6d8b14ee9520d65bb11b308a613d2c93
SHA512

fcf66353522ad08f33b8df31f67a50a9a5d0ae4471dffff3ea9c3f992ae82c9bdc360ee540c9e47dc302dc608b213ca53cb22e04d4673f2d6708db2ac0856504
SSDEEP

24576:tq5TfcdHj4fmbK2qYjzKJ9Ttr8QKPvxriRfgpk7yjFzQJ9TtFkQKP5q4IRfG4vki:tUTsamOxz5+Lpk7j5p24vk7O

Score

10^/10

revengerat stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023271-7.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Windows 10 Setup Tool - CHIP-Installer.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	dmr_72.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4616-0-0x00000000009A0000-0x0000000000CBD000-memory.dmp	upx
behavioral2/memory/4616-3-0x00000000009A0000-0x0000000000CBD000-memory.dmp	upx
behavioral2/memory/4616-16-0x00000000009A0000-0x0000000000CBD000-memory.dmp	upx

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4616-3-0x00000000009A0000-0x0000000000CBD000-memory.dmp	autoit_exe
behavioral2/memory/4616-16-0x00000000009A0000-0x0000000000CBD000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4616	Windows 10 Setup Tool - CHIP-Installer.exe
4616	Windows 10 Setup Tool - CHIP-Installer.exe
1724	dmr_72.exe
1724	dmr_72.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4616	Windows 10 Setup Tool - CHIP-Installer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	dmr_72.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4616	Windows 10 Setup Tool - CHIP-Installer.exe
4616	Windows 10 Setup Tool - CHIP-Installer.exe
4616	Windows 10 Setup Tool - CHIP-Installer.exe
4616	Windows 10 Setup Tool - CHIP-Installer.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4616	Windows 10 Setup Tool - CHIP-Installer.exe
4616	Windows 10 Setup Tool - CHIP-Installer.exe
4616	Windows 10 Setup Tool - CHIP-Installer.exe
4616	Windows 10 Setup Tool - CHIP-Installer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1724	dmr_72.exe
1724	dmr_72.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 1724	4616	Windows 10 Setup Tool - CHIP-Installer.exe	91
PID 4616 wrote to memory of 1724	4616	Windows 10 Setup Tool - CHIP-Installer.exe	91

C:\Users\Admin\AppData\Local\Temp\Windows 10 Setup Tool - CHIP-Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Windows 10 Setup Tool - CHIP-Installer.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
  "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -81516301 -chipderedesign -6858cca256284ad98cca6fc9dbfda8a5 - -BLUB2 -vkdlzvgubapnudqt -4616
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
539KB

MD5
859436ebb365cb1d380a84e7bd083f51

SHA1
6514b96cddd12642a300380b68097dd4ff5c8b91

SHA256
e4041ea08201a212a87c8b7be46fe6a2552e408c5bf8d3203d7d1e885725d096

SHA512
1120a55550c48a1618899f3ec6e794ca1f572504fe0b784c5bc232d393a82ef8858af40c048dcc381e176c37c8c0d8e51fa649c5f6bc63b018d2c5097be6d480

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMR\vkdlzvgubapnudqt.dat

Filesize
159B

MD5
5a3ec82312311cae70e141dafd2423ea

SHA1
6f8be45d3b29c8c7afa278021c8fa089287aa86e

SHA256
7e9c663eb631b6010053a8f563193a0714923af35da070d81988499107c31b8c

SHA512
816dca0c8c47332ffb9fcc2c07bd9878bf8ecc8c7fd8b83e6c1a2e83e0f27ec08425c7affb44b63dd933be8f4544e30412010162e0dee57b4db68ce6f1ea82fc

Download Submit
memory/1724-19-0x000000001B1C0000-0x000000001B25A000-memory.dmp

Filesize
616KB

Download
memory/1724-20-0x00007FFAE9210000-0x00007FFAE9CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-15-0x0000000000190000-0x000000000021C000-memory.dmp

Filesize
560KB

Download
memory/1724-28-0x00007FFAE9210000-0x00007FFAE9CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-17-0x00007FFAE9210000-0x00007FFAE9CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-27-0x000000001B1C0000-0x000000001B25A000-memory.dmp

Filesize
616KB

Download
memory/1724-24-0x00007FFAE9213000-0x00007FFAE9215000-memory.dmp

Filesize
8KB

Download
memory/1724-14-0x00007FFAE9213000-0x00007FFAE9215000-memory.dmp

Filesize
8KB

Download
memory/1724-21-0x00007FFAE9210000-0x00007FFAE9CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-22-0x00007FFAE9210000-0x00007FFAE9CD1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-23-0x00007FFAE9210000-0x00007FFAE9CD1000-memory.dmp

Filesize
10.8MB

Download
memory/4616-0-0x00000000009A0000-0x0000000000CBD000-memory.dmp

Filesize
3.1MB

Download
memory/4616-3-0x00000000009A0000-0x0000000000CBD000-memory.dmp

Filesize
3.1MB

Download
memory/4616-16-0x00000000009A0000-0x0000000000CBD000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing