revengerat | 16b4664969ce27b9914dc9d41b5baa16a341e00f442527efffd478a73a014fa1

Resubmissions

03/08/2024, 22:30

240803-2evwbsxemn 10

03/08/2024, 21:31

03/08/2024, 21:20

03/08/2024, 21:04

03/08/2024, 20:57

03/08/2024, 20:27

09/12/2021, 20:37

Analysis

max time kernel
269s
max time network
269s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03/08/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
Size

988KB
MD5

afb30fed336e9b1e5e8ea5d941691b2a
SHA1

afeb330ea75da11608bc4f32d3490ed38cfd4c11
SHA256

16b4664969ce27b9914dc9d41b5baa16a341e00f442527efffd478a73a014fa1
SHA512

f509ae85f1e0cb7d1803f5d84f43cf58ec8363e816614b1668ae7ae5bbb86547ec507776022dcb9ba3bf776837e17e72816208bb2a8e790eef0c807131b6b27a
SSDEEP

24576:MAHnh+eWsN3skA4RV1Hom2KXMmHaYfNZ8tvDej5:rh+ZkldoPK8YaYlZ81q

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2408-27-0x0000000000280000-0x0000000000298000-memory.dmp	revengerat

Executes dropped EXE 2 IoCs

pid	Process
2120	gons.exe
2408	temp5789e.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\temp5789e.exe"	InstallUtil.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 1236	2408	temp5789e.exe	33
PID 1236 set thread context of 2072	1236	InstallUtil.exe	34

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	temp5789e.exe
Token: SeDebugPrivilege	1236	InstallUtil.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 2120	2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe	31
PID 2784 wrote to memory of 2120	2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe	31
PID 2784 wrote to memory of 2120	2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe	31
PID 2784 wrote to memory of 2120	2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe	31
PID 2784 wrote to memory of 2408	2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe	32
PID 2784 wrote to memory of 2408	2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe	32
PID 2784 wrote to memory of 2408	2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe	32
PID 2784 wrote to memory of 2408	2784	FreeBitco.in Next Roll Prediction (Trial 1 Day).exe	32
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 2408 wrote to memory of 1236	2408	temp5789e.exe	33
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34
PID 1236 wrote to memory of 2072	1236	InstallUtil.exe	34

C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe
"C:\Users\Admin\AppData\Local\Temp\FreeBitco.in Next Roll Prediction (Trial 1 Day).exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\Microsoft\gons.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\gons.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hqqNLCGRF.txt

Filesize
54B

MD5
feff0ef7b1806ec99a169a9c65bf7d85

SHA1
506370d143d605e5a1b2f8dcb28ff3d28d7f47bf

SHA256
06c3fa449cae6477b6389f6c509574ab2eb909497b857c9944e91b3c049cefdd

SHA512
e0e78ece6708b4021629ccfd421b0e941bd0369e82d7f82e6e0b104aad588f65c388231531b501b7d13b7884209fe25a96c71beaacb45c60bf20af8530bc7a05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\temp5789e.exe

Filesize
591KB

MD5
70ba9bb9b4a4a5c81b2c17f0110cef81

SHA1
75ce808554c4f79cb4d603fa500d7205cadffdc8

SHA256
b2a46393e1234b2408ba71a338c7665119dcf57c8a2e7c9247c69b25943d3b11

SHA512
a0d824e4ca56d1ea72a1cacf51b6267a452f21ecd8e2037ee401970491fe3aed9ec56f704d862f158899c158c7c0bf48ace610be854ccd00039b8f1c25ef262f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\gons.exe

Filesize
93KB

MD5
5596954c05b7854febf8fc86258ee259

SHA1
0f3cbe5382fbe23d0d4d425a9343339c20fe47d0

SHA256
489360ed325274a369c234b382d29a8cbeb3827cb9e305b809fc286408af87d9

SHA512
9ee9ef01aa832f31e5d41f22c6623046513dfb247838b749ae65eb7a8e71ccab31c38f41c33978c33ddf203511cab454a11ff0473237344663dd20da84d69f2e

Download Submit
memory/1236-31-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-37-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-35-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1236-40-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-41-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-33-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1236-42-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2072-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2072-50-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2072-44-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2072-46-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2072-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2072-48-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2072-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2120-26-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-24-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-25-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-20-0x00000000013B0000-0x00000000013CC000-memory.dmp

Filesize
112KB

Download
memory/2120-19-0x000007FEF5D43000-0x000007FEF5D44000-memory.dmp

Filesize
4KB

Download
memory/2120-29-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-27-0x0000000000280000-0x0000000000298000-memory.dmp

Filesize
96KB

Download
memory/2408-43-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-28-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-21-0x0000000001160000-0x00000000011FA000-memory.dmp

Filesize
616KB

Download
memory/2408-23-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-22-0x000007FEF5D40000-0x000007FEF672C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads