revengerat | 3c4f09f050cd08b3538ea6bd0a2a0a543bab2c58b299b214a9c3161d7c53a537

General

Target

6ed1f348fc4e30067fbf3430d938e1a0N.exe
Size

1.1MB
MD5

6ed1f348fc4e30067fbf3430d938e1a0
SHA1

8672c9fd18f1f961743ffc393c31e208b718a464
SHA256

3c4f09f050cd08b3538ea6bd0a2a0a543bab2c58b299b214a9c3161d7c53a537
SHA512

bd8264f5374441901e8206a351b10e3c90a1fa3a1702c90317da2d741979e8e56524759ba0fe19d848a087fe68dd792f04aec23568cc3c1cb60d97c9c45b5ebc
SSDEEP

24576:Pq5TfcdHj4fmbA2qx0MmV0VMXR9mOphGkDKTeOffsGiE:PUTsamUxzOzrOffL

Score

10^/10

revengerat discovery stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x00090000000234b1-6.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	6ed1f348fc4e30067fbf3430d938e1a0N.exe

Executes dropped EXE 1 IoCs

pid	Process
3392	dmr_72.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4136-0-0x0000000000C80000-0x0000000000EF2000-memory.dmp	upx
behavioral2/memory/4136-20-0x0000000000C80000-0x0000000000EF2000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4136-20-0x0000000000C80000-0x0000000000EF2000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ed1f348fc4e30067fbf3430d938e1a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	6ed1f348fc4e30067fbf3430d938e1a0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	6ed1f348fc4e30067fbf3430d938e1a0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3392	dmr_72.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4136	6ed1f348fc4e30067fbf3430d938e1a0N.exe
4136	6ed1f348fc4e30067fbf3430d938e1a0N.exe
4136	6ed1f348fc4e30067fbf3430d938e1a0N.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4136	6ed1f348fc4e30067fbf3430d938e1a0N.exe
4136	6ed1f348fc4e30067fbf3430d938e1a0N.exe
4136	6ed1f348fc4e30067fbf3430d938e1a0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3392	dmr_72.exe
3392	dmr_72.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 3392	4136	6ed1f348fc4e30067fbf3430d938e1a0N.exe	86
PID 4136 wrote to memory of 3392	4136	6ed1f348fc4e30067fbf3430d938e1a0N.exe	86

C:\Users\Admin\AppData\Local\Temp\6ed1f348fc4e30067fbf3430d938e1a0N.exe
"C:\Users\Admin\AppData\Local\Temp\6ed1f348fc4e30067fbf3430d938e1a0N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
  "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54373183 -chipde -a0ef907135f6446f922fffe729d4357a - -BLUB2 -bkbvtlhvjnfjyoox -4136
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\bkbvtlhvjnfjyoox.dat

Filesize
111B

MD5
b09782ce2cb4cf7c61edd7786126ed99

SHA1
f1ffa7a0535aa36e230d5263c7f3bfcca6b2e071

SHA256
91452a68de6c37499bad3a455e24de7184494f90de8b51bf3a32487db7d455cf

SHA512
85064fe42f9a6f31dab0a0feb22c9e2efaba73e401a0ab433bd8152cbbc6b4376209b71bac2be4780e516ea76273acd9d319643765f87ac3119fb91ccfaec91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
369KB

MD5
19d8275624db964f341db752ce4c1bd3

SHA1
333beb35a70772f1757e99f0154d59964b921d3f

SHA256
e9789f0d4a7342ff6fa665e55f0f2d22b72ea6f71b3cad3e6acb0f8d05ff27e9

SHA512
c4bd903567576e670ee5d968e62345dd4e6a5fece3d59cd7b7634f09da4ade2f24aa9404c9c3f7f35658fdcfe3b2e02c8ae6930afa0b4ebf8b041e3e27993e94

Download Submit
memory/3392-13-0x00007FFBB5FA3000-0x00007FFBB5FA5000-memory.dmp

Filesize
8KB

Download
memory/3392-14-0x0000000000E20000-0x0000000000E80000-memory.dmp

Filesize
384KB

Download
memory/3392-16-0x00007FFBB5FA0000-0x00007FFBB6A61000-memory.dmp

Filesize
10.8MB

Download
memory/3392-17-0x00007FFBB5FA0000-0x00007FFBB6A61000-memory.dmp

Filesize
10.8MB

Download
memory/3392-18-0x00007FFBB5FA0000-0x00007FFBB6A61000-memory.dmp

Filesize
10.8MB

Download
memory/3392-19-0x00007FFBB5FA0000-0x00007FFBB6A61000-memory.dmp

Filesize
10.8MB

Download
memory/3392-22-0x00007FFBB5FA0000-0x00007FFBB6A61000-memory.dmp

Filesize
10.8MB

Download
memory/4136-0-0x0000000000C80000-0x0000000000EF2000-memory.dmp

Filesize
2.4MB

Download
memory/4136-20-0x0000000000C80000-0x0000000000EF2000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing