revengerat | 07af92f0d7debf7f977de61ae735a80a8c504620c61060953c963545e72d1c8d

General

Target

Client2‮COD..exe
Size

467KB
MD5

69c5d667bdb0c221dbb50d3301ad1d67
SHA1

c9fb83fc1cc21052a51c1e38bdaaf8b2c3653293
SHA256

07af92f0d7debf7f977de61ae735a80a8c504620c61060953c963545e72d1c8d
SHA512

221de0fe425d9691feb2b065e9cb02a5fad2e15b92829900a77c3728bc03ce2c329792e15dbb73378cb838c09479998f243cc7fe68bfa5abe653733fb5243798
SSDEEP

3072:zV3sMJibhTsNElLD5CbwDMV9SYzAwZd7uy6W:zV30hTsNElLDzDy78w/am

Score

10^/10

revengerat guest discovery trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:1604

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Suspicious use of SetThreadContext 2 IoCs

Processes:

Client2‮COD..exeaspnet_compiler.exe

description	pid	Process	procid_target
PID 468 set thread context of 2236	468	Client2‮COD..exe	30
PID 2236 set thread context of 2716	2236	aspnet_compiler.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aspnet_compiler.exeaspnet_compiler.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client2‮COD..exeaspnet_compiler.exe

description	pid	Process
Token: SeDebugPrivilege	468	Client2‮COD..exe
Token: SeDebugPrivilege	2236	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Client2‮COD..exeaspnet_compiler.exe

description	pid	Process	procid_target
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 468 wrote to memory of 2236	468	Client2‮COD..exe	30
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31
PID 2236 wrote to memory of 2716	2236	aspnet_compiler.exe	31

C:\Users\Admin\AppData\Local\Temp\Client2‮COD..exe
"C:\Users\Admin\AppData\Local\Temp\Client2‮COD..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XXZMONF.txt

Filesize
52B

MD5
35470b93cb2286fa8532e10129b0e45d

SHA1
14c28cfe341ce7999ab395d57f06c5842b12c4fc

SHA256
43bec771d514dcd2f6e7829856888dccd736bafbb4fc472ee9e8e1a43ba1b742

SHA512
9c22db4fb31ef9a94d6e84793dfafe0631d15b5148a15ffbbf9ae96907c790ccd9b6d2ceea2ee7e0728b7b8dae853dc418b624bc32dc051ae5874e978b4f830c

Download Submit
memory/468-2-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/468-14-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/468-0-0x000007FEF62DE000-0x000007FEF62DF000-memory.dmp

Filesize
4KB

Download
memory/468-1-0x000007FEF6020000-0x000007FEF69BD000-memory.dmp

Filesize
9.6MB

Download
memory/2236-17-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-13-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2236-6-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2236-5-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2236-4-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2236-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-9-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2236-11-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2236-16-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-15-0x0000000074A41000-0x0000000074A42000-memory.dmp

Filesize
4KB

Download
memory/2236-40-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2236-7-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2716-36-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2716-20-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2716-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2716-22-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2716-28-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2716-33-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2716-19-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2716-29-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2716-37-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-39-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-38-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download
memory/2716-18-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2716-41-0x0000000074A40000-0x0000000074FEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads