revengerat | a202cfd031824705d38f624c23940126edf58c541d496a84eee7fbc13dde7d8d

General

Target

LisectAVT_2403002B_51.exe
Size

1.1MB
MD5

27cbd5d7725f56a0363c0b77148d27a5
SHA1

ac1b227624b87cd5fb8e7dcc3aca6d9fb503345f
SHA256

a202cfd031824705d38f624c23940126edf58c541d496a84eee7fbc13dde7d8d
SHA512

756038f61df386efa1290484906f35ed6d72d809dca4aac787f13f1a4110c52072eca0ce160884624665c5834d91d50e8153e8ae46cf76714adb8b97b8d645fc
SSDEEP

24576:mq5TfcdHj4fmbi2q+0MmV0VMXeyrtoT1GokHTQoCwsC+:mUTsamOx9RoBVoCw

Score

10^/10

revengerat discovery stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LisectAVT_2403002B_51.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	LisectAVT_2403002B_51.exe

Executes dropped EXE 1 IoCs

Processes:

dmr_72.exe

pid process

3092 dmr_72.exe

pid	process
3092	dmr_72.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/936-0-0x0000000000140000-0x00000000003B6000-memory.dmp	upx
behavioral2/memory/936-20-0x0000000000140000-0x00000000003B6000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/936-20-0x0000000000140000-0x00000000003B6000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002B_51.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	LisectAVT_2403002B_51.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	LisectAVT_2403002B_51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002B_51.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LisectAVT_2403002B_51.exe

pid process

936 LisectAVT_2403002B_51.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dmr_72.exe

description pid process

Token: SeDebugPrivilege 3092 dmr_72.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

LisectAVT_2403002B_51.exe

pid process

936 LisectAVT_2403002B_51.exe
936 LisectAVT_2403002B_51.exe
936 LisectAVT_2403002B_51.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

LisectAVT_2403002B_51.exe

pid process

936 LisectAVT_2403002B_51.exe
936 LisectAVT_2403002B_51.exe
936 LisectAVT_2403002B_51.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dmr_72.exe

pid process

3092 dmr_72.exe
3092 dmr_72.exe

pid	process
936	LisectAVT_2403002B_51.exe

description	pid	process
Token: SeDebugPrivilege	3092	dmr_72.exe

pid	process
936	LisectAVT_2403002B_51.exe
936	LisectAVT_2403002B_51.exe
936	LisectAVT_2403002B_51.exe

pid	process
936	LisectAVT_2403002B_51.exe
936	LisectAVT_2403002B_51.exe
936	LisectAVT_2403002B_51.exe

pid	process
3092	dmr_72.exe
3092	dmr_72.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

LisectAVT_2403002B_51.exe

description	pid	process	target process
PID 936 wrote to memory of 3092	936	LisectAVT_2403002B_51.exe	dmr_72.exe
PID 936 wrote to memory of 3092	936	LisectAVT_2403002B_51.exe	dmr_72.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_51.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_51.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -vuafjtswgihhjiza -936
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
373KB

MD5
1b81fa48134378f2b8d54a41fcfcf0ca

SHA1
ff6fd97bcc603890c9bdffebe992a8b95d4f2686

SHA256
5e2931d27098e63b67126ec2e036d8e2f4e46814d8c777c0307e3eec3b947707

SHA512
b0a9ae05da6e73729cf61ba7e58015630bd69c508fbfaa8cd6d9d116b63def1c67e7298680aa8d6d99f20d77e91dd14d880466ba21a1062498fdf3687518c8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMR\vuafjtswgihhjiza.dat

Filesize
163B

MD5
8c934b48a05955c6cc934925f4c01e7d

SHA1
b6300c8e23a440e85637a6e8f028ff25bee676d6

SHA256
51be55dd44a7d2c782ef432971878a64040aec99c5ec0b53ac92d72bb2645992

SHA512
199896d1482d91a24d896452b1a81b4c717a2781b0261aa7b32bd5fc38cdf84bf000d9487efa6bd799ae5b9b04019f5dd64bb174f5eec285d76aa9d8f3d1aa69

Download Submit
memory/936-0-0x0000000000140000-0x00000000003B6000-memory.dmp

Filesize
2.5MB

Download
memory/936-20-0x0000000000140000-0x00000000003B6000-memory.dmp

Filesize
2.5MB

Download
memory/3092-13-0x00007FFF33753000-0x00007FFF33755000-memory.dmp

Filesize
8KB

Download
memory/3092-14-0x0000000000030000-0x0000000000092000-memory.dmp

Filesize
392KB

Download
memory/3092-16-0x00007FFF33750000-0x00007FFF34211000-memory.dmp

Filesize
10.8MB

Download
memory/3092-17-0x00007FFF33750000-0x00007FFF34211000-memory.dmp

Filesize
10.8MB

Download
memory/3092-18-0x00007FFF33750000-0x00007FFF34211000-memory.dmp

Filesize
10.8MB

Download
memory/3092-19-0x00007FFF33750000-0x00007FFF34211000-memory.dmp

Filesize
10.8MB

Download
memory/3092-22-0x00007FFF33750000-0x00007FFF34211000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads