revengerat | 80c688eb323f32f41410c8290c56924bd8a721dac1a050ad0998cf17dc632730

General

Target

709423071efc64db1cc71e5ea210d6b0N.exe
Size

1.4MB
MD5

709423071efc64db1cc71e5ea210d6b0
SHA1

f960e68f9e7551015ae84c82efce21626d3755d6
SHA256

80c688eb323f32f41410c8290c56924bd8a721dac1a050ad0998cf17dc632730
SHA512

b76f1490b294b7a4e3eeaa9e64f5be022039648588c25a16611e78ea3bda331a28941185784cf84fa1ab4f35d4a5c8bca7f79d930ca431dae455554679296c0c
SSDEEP

24576:cq5TfcdHj4fmb9Ve9l2q+K26wQzLMnUAFFIfHWEzKJ9TtrWgXiFurFtW0zQJ9Ttp:cUTsamC9lxUFB5lFI5p

Score

10^/10

revengerat discovery stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/files/0x000800000001747b-4.dat	revengerat

Executes dropped EXE 1 IoCs

Processes:

dmr_72.exe

pid	Process
1748	dmr_72.exe

Loads dropped DLL 4 IoCs

Processes:

709423071efc64db1cc71e5ea210d6b0N.exe

pid	Process
3052	709423071efc64db1cc71e5ea210d6b0N.exe
3052	709423071efc64db1cc71e5ea210d6b0N.exe
3052	709423071efc64db1cc71e5ea210d6b0N.exe
3052	709423071efc64db1cc71e5ea210d6b0N.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3052-0-0x00000000001A0000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/3052-24-0x00000000001A0000-0x000000000049D000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3052-24-0x00000000001A0000-0x000000000049D000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

709423071efc64db1cc71e5ea210d6b0N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	709423071efc64db1cc71e5ea210d6b0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	709423071efc64db1cc71e5ea210d6b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	709423071efc64db1cc71e5ea210d6b0N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

709423071efc64db1cc71e5ea210d6b0N.exe

pid	Process
3052	709423071efc64db1cc71e5ea210d6b0N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

709423071efc64db1cc71e5ea210d6b0N.exe

pid	Process
3052	709423071efc64db1cc71e5ea210d6b0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dmr_72.exe

description	pid	Process
Token: SeDebugPrivilege	1748	dmr_72.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

709423071efc64db1cc71e5ea210d6b0N.exe

pid	Process
3052	709423071efc64db1cc71e5ea210d6b0N.exe
3052	709423071efc64db1cc71e5ea210d6b0N.exe
3052	709423071efc64db1cc71e5ea210d6b0N.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

709423071efc64db1cc71e5ea210d6b0N.exe

pid	Process
3052	709423071efc64db1cc71e5ea210d6b0N.exe
3052	709423071efc64db1cc71e5ea210d6b0N.exe
3052	709423071efc64db1cc71e5ea210d6b0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dmr_72.exe

pid	Process
1748	dmr_72.exe
1748	dmr_72.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

709423071efc64db1cc71e5ea210d6b0N.exe

description	pid	Process	procid_target
PID 3052 wrote to memory of 1748	3052	709423071efc64db1cc71e5ea210d6b0N.exe	30
PID 3052 wrote to memory of 1748	3052	709423071efc64db1cc71e5ea210d6b0N.exe	30
PID 3052 wrote to memory of 1748	3052	709423071efc64db1cc71e5ea210d6b0N.exe	30
PID 3052 wrote to memory of 1748	3052	709423071efc64db1cc71e5ea210d6b0N.exe	30

C:\Users\Admin\AppData\Local\Temp\709423071efc64db1cc71e5ea210d6b0N.exe
"C:\Users\Admin\AppData\Local\Temp\709423071efc64db1cc71e5ea210d6b0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
  "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54477683 -chipderedesign -4b43c3d20a494f39b89124bcffef87c1 - -BLUB2 -iotbspilbwztcpsy -3052
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\iotbspilbwztcpsy.dat

Filesize
151B

MD5
756eb721b1141ffaf408efb0f9fcfee8

SHA1
d08287e8e200b7e0cb3cf2adaa5d1914d79b1c73

SHA256
9e60f2fef4c98659d983637634a0447853e364ab4d902f77e4a21c392554c76e

SHA512
429e3b10be19163626dfd54d19f72b4dcb1fade53cf6b6bfb4e15f0161f9f9cfdb5f55a54980258743de4fec81c8e76e6559e8a8a9a55434ccb2c5666bb4a44c

Download Submit
\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
508KB

MD5
3c6bc1b7a85f5fda2926b0b3b3548e30

SHA1
928a536fbff196495b90e4bd51b932485b84a099

SHA256
5a681e3de52b6d99d3ed2d106df0d9d70f51c38abc380d7fadd9b89756487375

SHA512
e893d9c5423a4dce106844e85c10131ae57677369f9b34dca181f5110d7611e6c4a1d5eaf14e0ae19b1fa506f69eedc99a56bb06a17ab4c5b4c6451e49c382dc

Download Submit
memory/1748-16-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1748-17-0x0000000001300000-0x0000000001384000-memory.dmp

Filesize
528KB

Download
memory/1748-19-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-21-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-22-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-23-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1748-25-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/3052-0-0x00000000001A0000-0x000000000049D000-memory.dmp

Filesize
3.0MB

Download
memory/3052-24-0x00000000001A0000-0x000000000049D000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads