revengerat | hxxps://github[.]com/Cryakl/Ultimate-RAT-Collection/blob/main/RevengeRat/Revenge-RAT%20v[.]0[.]1[.]7z

Analysis

max time kernel
247s
max time network
245s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Cryakl/Ultimate-RAT-Collection/blob/main/RevengeRat/Revenge-RAT%20v.0.1.7z

Score

10^/10

revengerat [victimname]discovery trojan

Malware Config

Extracted

Family

revengerat

Botnet

[VictimName]

[Host]:[Port]

Mutex

[Mutex]

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 7 IoCs

pid	Process
4236	Revenge-RAT v.0.1.exe
1888	Stub.exe
4524	Stub.exe
3124	Revenge-RAT v.0.1.exe
452	Server.exe
2660	Server.exe
1272	Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
68	raw.githubusercontent.com
69	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Stub.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Stub.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Stub.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Stub.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Server.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Update.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 6e003100000000002d5991991000524556454e477e312e310000540009000400efbe2d5991992d5991992e0000007a3402000000090000000000000000000000000000004b68050052006500760065006e00670065002d00520041005400200076002e0030002e00310000001a000000	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "4"	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Revenge-RAT v.0.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Revenge-RAT v.0.1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 6e003100000000002d5998991000524556454e477e312e310000540009000400efbe2d5991992d5998992e000000ae34020000000c000000000000000000000000000000588d720052006500760065006e00670065002d00520041005400200076002e0030002e00310000001a000000	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Revenge-RAT v.0.1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	Revenge-RAT v.0.1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Revenge-RAT v.0.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4784	msedge.exe
4784	msedge.exe
2104	msedge.exe
2104	msedge.exe
376	identity_helper.exe
376	identity_helper.exe
392	msedge.exe
392	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe
5020	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4236	Revenge-RAT v.0.1.exe
3124	Revenge-RAT v.0.1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2332	7zG.exe
Token: 35	2332	7zG.exe
Token: SeSecurityPrivilege	2332	7zG.exe
Token: SeSecurityPrivilege	2332	7zG.exe
Token: SeBackupPrivilege	1004	dw20.exe
Token: SeBackupPrivilege	1004	dw20.exe
Token: SeBackupPrivilege	1636	dw20.exe
Token: SeBackupPrivilege	1636	dw20.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2332	7zG.exe
4236	Revenge-RAT v.0.1.exe
4236	Revenge-RAT v.0.1.exe
3124	Revenge-RAT v.0.1.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
2104	msedge.exe
4236	Revenge-RAT v.0.1.exe
4236	Revenge-RAT v.0.1.exe
3124	Revenge-RAT v.0.1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3124	Revenge-RAT v.0.1.exe
452	Server.exe
1272	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3488	2104	msedge.exe	83
PID 2104 wrote to memory of 3488	2104	msedge.exe	83
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 1140	2104	msedge.exe	84
PID 2104 wrote to memory of 4784	2104	msedge.exe	85
PID 2104 wrote to memory of 4784	2104	msedge.exe	85
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86
PID 2104 wrote to memory of 2628	2104	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Cryakl/Ultimate-RAT-Collection/blob/main/RevengeRat/Revenge-RAT%20v.0.1.7z
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfff146f8,0x7ffcfff14708,0x7ffcfff14718
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8160746525226179230,13890186729214513870,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2860

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Revenge-RAT v.0.1\" -ad -an -ai#7zMap25869:94:7zEvent23972
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2332

C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Revenge-RAT v.0.1.exe
"C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Revenge-RAT v.0.1.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4236

C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Stub.exe
"C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Stub.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1888
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1216
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1004

C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Stub.exe
"C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Stub.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4524
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1160
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Revenge-RAT v.0.1.exe
"C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Revenge-RAT v.0.1.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Server.exe
"C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Server.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:452
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Update.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Update.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:1272

C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Server.exe
"C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Server.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Revenge-RAT v.0.1.exe.log

Filesize
774B

MD5
1b2f0c7407b8bbbaaf86739abe069e81

SHA1
372380724c49f74a66176054790917f31134ec63

SHA256
3dd2fd61d338cf98cb575bd6efe579a67debb9e3b4535fd6c2dba57a120ffbfd

SHA512
ea3343f655b6ab1181174db403590199049340f3bf2fb51e44f6be8949102d83952d1e7c69d92066573187e56199827abd3c90defab86b05072b0896ab458ae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Server.exe.log

Filesize
588B

MD5
40467707453108f706979ec73a37df8a

SHA1
628938889769ebacb153b5a5364d721fa9af733a

SHA256
c9362eb6be4e1efeb1564c78ec2b2f935bbf96642850d966ef8ba99c5b8bf16a

SHA512
d3ef659e8bc4161cae415f662eaabd252692d0fc116676662475b7bf30407c38b21984754908c78529e34b255135e0466314d5caf2d465bd9a7a3599b981db07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ee547931b458c957cd69cd4de5ca5dd7

SHA1
93b533f70e60e84233aedd4c26c93d5f4de38d8d

SHA256
3689e0d58bbbad473378f639475537fad6221af3b953b365c0dd71571b44b41a

SHA512
376ea68bfae3c9e8043a113f86074fc25b4855c303a0501694209440cb5c28a60c28a586174763d2403926101e3f586735a80008fa46515eb20f5eb79857fd32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a8a7c3dafeb4ad3d8cb846fc95b8f1c

SHA1
69e2b994e6882e1e783410dae53181984050fa13

SHA256
a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90

SHA512
2e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a8c2bd58952c79dd48078ee111f5680

SHA1
9c9e047dbd2a93a395fee5d17470ea05ba861adc

SHA256
d9f91a417bbef1c1f3420aca5c41e492d34cded8d90851166a4b6536273d521c

SHA512
ae9ff980e3411d16e2e2536d2955045c28b5fc481a2cba309f8f78e7738e72d184858fd6184571ac5df4168fe1a66089e5b855bc08aedc15d4f548251d2d30cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8449cf0fe5371be69d69c33cbcdb3390

SHA1
5216f7760398b088ea8cfe56d1b8690bf29b0d43

SHA256
5fcccb47ce82fe288920d31452e436cddf4a0b6f92197ca65be196c6c17ceb86

SHA512
c36676cba1bd5c6479780670f8a1f5e65371a26c8369e5a13d6b4c821904555c2c6943d2c74e585406da2189b3717380ace76eea1af3102b13bcd953ea47937c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
828edcff1c3cd7ad00650d3dc40323a2

SHA1
cbc1ba2128145c20ea5ebbb6a20bbccdbb0297a0

SHA256
2477e23fecd5feb5bac8b11582a9ef563a520a2b3c42074500fbb7f277811fa2

SHA512
fc8750bdd1ff4332d21cafc83d1d109558c375806e758bfb27bec3f2b28dc3fda22ac4e48177e3a49d2819a257c80048c9d6bec75ed430efb5a3040bda9e56fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a6e38f0b4a28484610cda1f3085e3b4

SHA1
03a1a23e2ce3124c6692b7dd245b41338353e32c

SHA256
77ceecd71d5b4713ad2cd02910d5570a86e2b98333812d4eb53183fafd8706f4

SHA512
078294d5ef418dc3aa0f7608469fd567589435c563672158e99e7749051d89c520848465928cb065b117482f9b6664f8c96f1114ea4784507c41792aebb7fc97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7787e1639f0fb3177ed7dcf1474e1782

SHA1
5901408b01e3a9b35b3060b10347a20f35c8d558

SHA256
d767cafb40674b252de69db9a3d914cc8ed542e1ab9fa8546a3047bdf781231a

SHA512
c5a82306a803374fad404550bae1cef756087043eec220175d88f86754f68be13c925280cd2629a7ec6891e058b197a59b8690461c6b4678462ef90115d66b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581de3.TMP

Filesize
874B

MD5
c43530a1389a204f6f734f14cf7c0f74

SHA1
fa0e5631a2313209ec8e0fa7dc156f9056411b49

SHA256
57d09ddd22f6d40c8d7448f97ee23140679bbbb4c3fc7a9b30ad6fef2acf5faa

SHA512
53f6ac79fa196ad7670892504fba95d7923ffde02ff0d635881814ee8b7b397a766eee284530ea8a74a5748c0393975c55f5d62b9cf658f877d9142fd67f9abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
27b71cd6a1fe8929839a6d0152c1929c

SHA1
f8a350003982416848b209646f243a67d62b2b34

SHA256
966e6c103a9f8e315dd2ab64e4e535e3dfb14c1297ade24f221dfce4690f2765

SHA512
0e3ae3e4ff1365e6be5ddb5db1441597e71fb8fae03a097649b28498bd81695cb193db9baf81df12348d28d6f711221d1f463bab8bdf30fbd5cf64ca446dadf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c5bb768b04fade16c9fdab150d69219d

SHA1
508b21c97269df1749045612b838c67bc4736ab1

SHA256
b0bf9e970ff476429080ad61ef63b84e7e38a13e50cf5df17ab287d0a906e390

SHA512
ade50c3e79f212eaa12483fa39e089dad56b04ec426e9476120f4cc8252bacdb00eb7c2d7953efea165331e6060b7678bbc82120079c6312719f71d5ad298416

Download Submit
C:\Users\Admin\Downloads\Revenge-RAT v.0.1.7z

Filesize
1.4MB

MD5
1d19989efa4ae38480086c0a8d48f7d9

SHA1
1acf7932fce1f1b3e4e6ab720cde8e149f0c8348

SHA256
03a75777869288c1e056c4b70616faf4731b48ef92e07b4be1fd4084256e075d

SHA512
bd54ad1725a890f091d399699625dc1c94f56d8f0973a96a688889e503c373320b6254c464f679e45efc7f8e8c70d1dce17bd28e63ba04e9898b67c31409f33f

Download Submit
C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\GeoIP.dat

Filesize
592KB

MD5
1f897b5825cf91799831862620911aff

SHA1
77ec8fdf820a3f68afed858f3a27e5afce652a51

SHA256
5f85518cf71e7b53544e0bd0c1874d1f89a0d6de7a6ad50683517575aaa56301

SHA512
5520d1e4c488a9e7f618035cbfb5fb2abf0be1a63633d09757a130746f76b5cbb66061aef9e0f4a8258c4df24deeacefc7d71d086b04e5e1b91451ec98d9f948

Download Submit
C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Mono.Cecil.dll

Filesize
273KB

MD5
80ea4bfe7944e2f384d97488c83d9d25

SHA1
18789622bdff9d99683504faf2a302a194e3b6c0

SHA256
1a1565804348c2e621e0a509cedaa516eeb7e9fadfbeefe58e1e9cf8ec16b915

SHA512
561e8c8465c1989dcc6c03b221f24c0f5c0ee278ff244d171f1761c79ee83debcb00973e2027be28ae77e47956a192b2a4a019e83b2802c62639f5d375aabe5b

Download Submit
C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Revenge-RAT v.0.1.exe

Filesize
2.7MB

MD5
7368f1ebc332235e37b5672bb20d5c33

SHA1
b31fe70850b267b00c6e11f3dfd2153da3414f7e

SHA256
f1fc15082123a79f5350a6bf7897f4ac9c7474619f96efc556754918f3926ae7

SHA512
a6f79cc0c5b28b1b8212123fb7c143f7e0684d216555a0ed344d7a386354c98392a5a81ce3c28fbdc37047fa84873949b7ec6a1216548d9cb962e056237da9f7

Download Submit
C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Server.exe

Filesize
35KB

MD5
603890561872855f409023bc4aa36095

SHA1
45b3707d313ffdd9f9738dfec1ed972db041be25

SHA256
835afbb050b2beb78cb5725f8f4c551e5f63a3cd26bd3664001ddaccdd00bdda

SHA512
68a74ff3356fd4214fc08fc0e6733a4a0982231789f2de84c6426ea24976a1f411662e3ecb9d4dd0de725f8556aee1eb08963cdd74dc8899a42a1a12c0188649

Download Submit
C:\Users\Admin\Downloads\Revenge-RAT v.0.1\Revenge-RAT v.0.1\Stub.exe

Filesize
36KB

MD5
cde25d887f23871247931c40224c0fa1

SHA1
07dac3739fbfa7167e525c75a830234c5a8cc666

SHA256
4c589dec2312f0a4f27d747aa77671f30699cbef80554d8fb1d85cf13642a753

SHA512
a0f8114617b4c6e954a89fe76d878519c6683217a57b5f72114e3e4d1c51a4fe9f825c8619254317f88836b398ee3d4eb8b90489fd48ba0de48dd1a787aef92c

Download Submit
memory/452-353-0x000000001EF30000-0x000000001EF92000-memory.dmp

Filesize
392KB

Download
memory/3124-338-0x0000000000F00000-0x0000000000F4A000-memory.dmp

Filesize
296KB

Download
memory/4236-288-0x000000001CD00000-0x000000001CD4C000-memory.dmp

Filesize
304KB

Download
memory/4236-287-0x000000001BF70000-0x000000001BF78000-memory.dmp

Filesize
32KB

Download
memory/4236-286-0x000000001CAA0000-0x000000001CB3C000-memory.dmp

Filesize
624KB

Download
memory/4236-285-0x000000001C490000-0x000000001C95E000-memory.dmp

Filesize
4.8MB

Download
memory/4236-284-0x000000001BEC0000-0x000000001BF66000-memory.dmp

Filesize
664KB

Download