revengerat | b2ee5bd5b0e3cc0f9309ff42323f66f638542301d33beefa600a23a90ed94801

General

Target

997a5c705e9f2761962ac35ebcdd88a0N.exe
Size

1.1MB
MD5

997a5c705e9f2761962ac35ebcdd88a0
SHA1

ab637b8c25b4e5677a9eb89c2d649400ff1314fe
SHA256

b2ee5bd5b0e3cc0f9309ff42323f66f638542301d33beefa600a23a90ed94801
SHA512

719a9c6406e5f598af03c543bd63dedae2e6e11478419c515fe251f9c2729e29ee9a0e0283e0bd959c6af7b23b81bcf7ff67b935583ff38798df533c8e3f1430
SSDEEP

24576:Sq5TfcdHj4fmbo2q40MmV0VMXfGqcnUsG0Eh3lWaUnfnnO/sWv5:SUTsamsxw3nhwlonnO/l

Score

10^/10

revengerat discovery stealer trojan upx

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000800000001660d-4.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2276	dmr_72.exe

Loads dropped DLL 4 IoCs

pid	Process
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000050000-0x00000000002C8000-memory.dmp	upx
behavioral1/memory/2220-25-0x0000000000050000-0x00000000002C8000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2220-25-0x0000000000050000-0x00000000002C8000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	997a5c705e9f2761962ac35ebcdd88a0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage	997a5c705e9f2761962ac35ebcdd88a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	997a5c705e9f2761962ac35ebcdd88a0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	dmr_72.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe
2220	997a5c705e9f2761962ac35ebcdd88a0N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2276	dmr_72.exe
2276	dmr_72.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2276	2220	997a5c705e9f2761962ac35ebcdd88a0N.exe	30
PID 2220 wrote to memory of 2276	2220	997a5c705e9f2761962ac35ebcdd88a0N.exe	30
PID 2220 wrote to memory of 2276	2220	997a5c705e9f2761962ac35ebcdd88a0N.exe	30
PID 2220 wrote to memory of 2276	2220	997a5c705e9f2761962ac35ebcdd88a0N.exe	30

C:\Users\Admin\AppData\Local\Temp\997a5c705e9f2761962ac35ebcdd88a0N.exe
"C:\Users\Admin\AppData\Local\Temp\997a5c705e9f2761962ac35ebcdd88a0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe
  "C:\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -54424000 -chipde -3d028f571a294c49bf4fc1a757ae8e8c - -BLUB2 -mauixztajqghjdko -2220
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DMR\mauixztajqghjdko.dat

Filesize
163B

MD5
f2f3ab77e7330e37810228d664104210

SHA1
4fa79cc5a9b61484c2fbdc0bd2b08a031a17eec7

SHA256
3bccb8c3f6cac6b52fb2e92e8b8e52e7e795dc9130b263293aca08dace98f1e4

SHA512
0d143246ee4031e67ab69e25591a86f8bdead99564d4dba72a59cfa5fda5c3ea74691b394e71277e27378c53cba8786481ccb35bb268309ab3d1f8ded7c13713

Download Submit
\Users\Admin\AppData\Local\Temp\DMR\dmr_72.exe

Filesize
375KB

MD5
a00dc5a8831c076ff536b072415fcee3

SHA1
47b19ab97028d8925579bed54efee88c8107d6b6

SHA256
c9d8f7c9bcfa4758e17808dd79673ac10c22f37ccd37549543b16028b43dfe79

SHA512
642dbe332ab25ef7e3dfb9e29ca545312c339efa373f1a8da16686e26eda6c0219526b82989c65ead6a74e9ecbe9eca0de0283129832dd59394969c4b2886a4b

Download Submit
memory/2220-0-0x0000000000050000-0x00000000002C8000-memory.dmp

Filesize
2.5MB

Download
memory/2220-25-0x0000000000050000-0x00000000002C8000-memory.dmp

Filesize
2.5MB

Download
memory/2276-16-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/2276-17-0x0000000000C40000-0x0000000000CA2000-memory.dmp

Filesize
392KB

Download
memory/2276-19-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-20-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-22-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-21-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-23-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-26-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing