revengerat | 3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c

General

Target

LisectAVT_2403002B_52.exe
Size

1.1MB
MD5

56ac9e72644a8dae8c1968d63a26e58a
SHA1

d0349d04f33400541898426438d9e036d21decc5
SHA256

3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c
SHA512

d4f5c176b3e4fda2a318fde3ec3702d9bf102bd752ee42b4549b9fd6630fdcbee20de63fc7a403f60768ac7c0a7d780bc542c8d60f4e2b9eeb19a40aba49ddc1
SSDEEP

24576:mq5TfcdHj4fmbi2q+0MmV0VMXeyrtoT1GokHTQoCwsC+Y:mUTsamOx9RoBVoCwT

Score

10^/10

revengerat discovery stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LisectAVT_2403002B_52.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	LisectAVT_2403002B_52.exe

Executes dropped EXE 1 IoCs

Processes:

dmr_72.exe

pid process

3608 dmr_72.exe

pid	process
3608	dmr_72.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1544-0-0x0000000000BA0000-0x0000000000E16000-memory.dmp	upx
behavioral2/memory/1544-20-0x0000000000BA0000-0x0000000000E16000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/1544-20-0x0000000000BA0000-0x0000000000E16000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LisectAVT_2403002B_52.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LisectAVT_2403002B_52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	LisectAVT_2403002B_52.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	LisectAVT_2403002B_52.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LisectAVT_2403002B_52.exe

pid process

1544 LisectAVT_2403002B_52.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dmr_72.exe

description pid process

Token: SeDebugPrivilege 3608 dmr_72.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

LisectAVT_2403002B_52.exe

pid process

1544 LisectAVT_2403002B_52.exe
1544 LisectAVT_2403002B_52.exe
1544 LisectAVT_2403002B_52.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

LisectAVT_2403002B_52.exe

pid process

1544 LisectAVT_2403002B_52.exe
1544 LisectAVT_2403002B_52.exe
1544 LisectAVT_2403002B_52.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dmr_72.exe

pid process

3608 dmr_72.exe
3608 dmr_72.exe

pid	process
1544	LisectAVT_2403002B_52.exe

description	pid	process
Token: SeDebugPrivilege	3608	dmr_72.exe

pid	process
1544	LisectAVT_2403002B_52.exe
1544	LisectAVT_2403002B_52.exe
1544	LisectAVT_2403002B_52.exe

pid	process
1544	LisectAVT_2403002B_52.exe
1544	LisectAVT_2403002B_52.exe
1544	LisectAVT_2403002B_52.exe

pid	process
3608	dmr_72.exe
3608	dmr_72.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

LisectAVT_2403002B_52.exe

description	pid	process	target process
PID 1544 wrote to memory of 3608	1544	LisectAVT_2403002B_52.exe	dmr_72.exe
PID 1544 wrote to memory of 3608	1544	LisectAVT_2403002B_52.exe	dmr_72.exe

C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_52.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_52.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
"C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -mqkcrbahiwnsmgqp -1544
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
373KB

MD5
1b81fa48134378f2b8d54a41fcfcf0ca

SHA1
ff6fd97bcc603890c9bdffebe992a8b95d4f2686

SHA256
5e2931d27098e63b67126ec2e036d8e2f4e46814d8c777c0307e3eec3b947707

SHA512
b0a9ae05da6e73729cf61ba7e58015630bd69c508fbfaa8cd6d9d116b63def1c67e7298680aa8d6d99f20d77e91dd14d880466ba21a1062498fdf3687518c8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMR\mqkcrbahiwnsmgqp.dat

Filesize
163B

MD5
8c934b48a05955c6cc934925f4c01e7d

SHA1
b6300c8e23a440e85637a6e8f028ff25bee676d6

SHA256
51be55dd44a7d2c782ef432971878a64040aec99c5ec0b53ac92d72bb2645992

SHA512
199896d1482d91a24d896452b1a81b4c717a2781b0261aa7b32bd5fc38cdf84bf000d9487efa6bd799ae5b9b04019f5dd64bb174f5eec285d76aa9d8f3d1aa69

Download Submit
memory/1544-0-0x0000000000BA0000-0x0000000000E16000-memory.dmp

Filesize
2.5MB

Download
memory/1544-20-0x0000000000BA0000-0x0000000000E16000-memory.dmp

Filesize
2.5MB

Download
memory/3608-13-0x00007FFCC5DF3000-0x00007FFCC5DF5000-memory.dmp

Filesize
8KB

Download
memory/3608-14-0x0000000000DA0000-0x0000000000E02000-memory.dmp

Filesize
392KB

Download
memory/3608-16-0x00007FFCC5DF0000-0x00007FFCC68B1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-17-0x00007FFCC5DF0000-0x00007FFCC68B1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-18-0x00007FFCC5DF0000-0x00007FFCC68B1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-19-0x00007FFCC5DF0000-0x00007FFCC68B1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-22-0x00007FFCC5DF0000-0x00007FFCC68B1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads