revengerat | 74818ceb11f1c538bb637d333c6a6c2cf2606829598c14423878e8ce2e9a9a53

General

Target

4bdb1e053a3f893f0a0560124915e26f_JaffaCakes118.exe
Size

2.0MB
MD5

4bdb1e053a3f893f0a0560124915e26f
SHA1

1f65309c9e341b6950b69505f132a229a61f4537
SHA256

74818ceb11f1c538bb637d333c6a6c2cf2606829598c14423878e8ce2e9a9a53
SHA512

4954a567cb313263924ed215eb9dca680fe26b24e52c8a83ca60a4b6a99a950dafe0f8e37c99c9586a21edf420c7d0d61014346b26be71d6a5a81add1d8a1ffe
SSDEEP

24576:hBWC00PGDUzrKqNYdqqdnwKnLkdWREvODMHZH/wWr7hdsQvfsl7quLVt:hwCfEqNyFwKZWnWDV

Score

10^/10

revengerat persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
22logitech2212

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000012117-4.dat	revengerat

ACProtect 1.3x - 1.4x DLL software 6 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00070000000175e6-23.dat	acprotect
behavioral1/files/0x00070000000175ec-28.dat	acprotect
behavioral1/files/0x00070000000175f2-30.dat	acprotect
behavioral1/files/0x0008000000017425-26.dat	acprotect
behavioral1/files/0x0034000000018675-32.dat	acprotect
behavioral1/memory/2832-42-0x0000000060220000-0x0000000060229000-memory.dmp	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2800	504.exe
2832	FirePassword.exe

Loads dropped DLL 5 IoCs

pid	Process
2832	FirePassword.exe
2832	FirePassword.exe
2832	FirePassword.exe
2832	FirePassword.exe
2832	FirePassword.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0034000000016f9f-21.dat	upx
behavioral1/memory/2832-22-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/files/0x00070000000175e6-23.dat	upx
behavioral1/files/0x00070000000175ec-28.dat	upx
behavioral1/files/0x00070000000175f2-30.dat	upx
behavioral1/files/0x0008000000017425-26.dat	upx
behavioral1/files/0x0034000000018675-32.dat	upx
behavioral1/memory/2832-43-0x0000000060260000-0x00000000602BF000-memory.dmp	upx
behavioral1/memory/2832-42-0x0000000060220000-0x0000000060229000-memory.dmp	upx
behavioral1/memory/2832-41-0x0000000060140000-0x000000006016D000-memory.dmp	upx
behavioral1/memory/2832-40-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2832-39-0x0000000060210000-0x000000006021A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\504.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	504.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2832	FirePassword.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2800	504.exe
2800	504.exe
2800	504.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	504.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	504.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2800	504.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2800	2692	4bdb1e053a3f893f0a0560124915e26f_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2800	2692	4bdb1e053a3f893f0a0560124915e26f_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2800	2692	4bdb1e053a3f893f0a0560124915e26f_JaffaCakes118.exe	32
PID 2800 wrote to memory of 2984	2800	504.exe	34
PID 2800 wrote to memory of 2984	2800	504.exe	34
PID 2800 wrote to memory of 2984	2800	504.exe	34
PID 2800 wrote to memory of 2600	2800	504.exe	35
PID 2800 wrote to memory of 2600	2800	504.exe	35
PID 2800 wrote to memory of 2600	2800	504.exe	35
PID 2600 wrote to memory of 2832	2600	cmd.exe	38
PID 2600 wrote to memory of 2832	2600	cmd.exe	38
PID 2600 wrote to memory of 2832	2600	cmd.exe	38
PID 2600 wrote to memory of 2832	2600	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\4bdb1e053a3f893f0a0560124915e26f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4bdb1e053a3f893f0a0560124915e26f_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\504.exe
  C:\Users\Admin\AppData\Local\Temp\504.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\cmd.exe
    cmd /C cd C:\Users\Admin\AppData\Roaming\Microsoft
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    cmd /C C:\Users\Admin\AppData\Roaming\Microsoft\FirePassword.exe >C:\Users\Admin\AppData\Roaming\Microsoft\Error.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Roaming\Microsoft\FirePassword.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\FirePassword.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\504.exe

Filesize
743KB

MD5
ac348b2c0dcff24bf02c10c453857679

SHA1
17fe4261b55cd87a3052c5b182e3f74287a7cda0

SHA256
f0950ee00416aeed0dc13498ca237ac8af6a31bec7a8b48f6cf4ee233a5b97d1

SHA512
2205d607a76e765a6f7414d9bef7e650cae4e768cf9ffd240386a4205789b23aa78c073fc8be7dbf5f094eee8168895ba86385b054433c39a4fe9a3d239259bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Error.txt

Filesize
283B

MD5
1d870fe37141ae58bc38bc6794374781

SHA1
8b20b3096f36fe4d343fc770c5f29a7983760d48

SHA256
c51d09b0f2fe56f42ea2a852e6de4d8a45e5dbaa610c4caabb30c9c0ec3f8360

SHA512
575b36d30e80c75fe3bb97ba057260f283286f88f5e6b008b806402acf6d94d081ddae3414c531522d2bca51327732f83596fbaf1550d827574a8b4496b03e79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\FirePassword.exe

Filesize
200KB

MD5
dab03dc446a8d2b809ce7aade0fab8b4

SHA1
3c6c19c9c6612653aab2cce45a6507547142fab1

SHA256
2c19dd25af9acc7ae31881c28108acb64a6b544622b97aebb0e55af783402e00

SHA512
52ae8830e522b5314820edaca9cddc2cddb2e477874a7207bc4f65a8d22d94a3d5909000c113cb417db3d6c00e8f86306a518ff168f815e9029959977b833dc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nss3.dll

Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\nspr4.dll

Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\plc4.dll

Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\plds4.dll

Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\softokn3.dll

Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
memory/2692-0-0x000007FEF665E000-0x000007FEF665F000-memory.dmp

Filesize
4KB

Download
memory/2692-5-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-6-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2692-10-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-8-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-14-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-12-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-11-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-9-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-33-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-7-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-45-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-22-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2832-40-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2832-39-0x0000000060210000-0x000000006021A000-memory.dmp

Filesize
40KB

Download
memory/2832-41-0x0000000060140000-0x000000006016D000-memory.dmp

Filesize
180KB

Download
memory/2832-42-0x0000000060220000-0x0000000060229000-memory.dmp

Filesize
36KB

Download
memory/2832-43-0x0000000060260000-0x00000000602BF000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads