revengerat | ed1dcba995ed1ca1102131986fa0ad453e2443e1beb614f243c7b420e1a8ab46

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2024, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe
Size

21KB
MD5

e612faf3c6e6b0fd54efde7cdd819750
SHA1

ce59575a14908d3ae8059ea2f116085102d941c5
SHA256

ed1dcba995ed1ca1102131986fa0ad453e2443e1beb614f243c7b420e1a8ab46
SHA512

0aca9d1c79b8387a22fbca20163131e7c4d8624422cf1a9305652a43ab630c7de2810bbd94b77dff86713f7d68c23c9ad91c5ca96d17398cfb11d45e345bf102
SSDEEP

384:px4X0KIjvzobOBCVVuzmVsbYpHsoygDY:D4X2wbICz/3TDY

Score

10^/10

revengerat g1 discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

185.84.181.90:1175

Mutex

RV_MUTEX-KawrHJfWfhaRC

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000800000002344b-24.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	RegAsm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	RegAsm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
2512	Client.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1432 set thread context of 968	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe	82
PID 968 set thread context of 3364	968	RegAsm.exe	83
PID 2512 set thread context of 3276	2512	Client.exe	95
PID 3276 set thread context of 3508	3276	RegAsm.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe
Token: SeDebugPrivilege	968	RegAsm.exe
Token: SeDebugPrivilege	2512	Client.exe
Token: SeDebugPrivilege	3276	RegAsm.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 968	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe	82
PID 1432 wrote to memory of 968	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe	82
PID 1432 wrote to memory of 968	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe	82
PID 1432 wrote to memory of 968	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe	82
PID 1432 wrote to memory of 968	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe	82
PID 1432 wrote to memory of 968	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe	82
PID 1432 wrote to memory of 968	1432	e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe	82
PID 968 wrote to memory of 3364	968	RegAsm.exe	83
PID 968 wrote to memory of 3364	968	RegAsm.exe	83
PID 968 wrote to memory of 3364	968	RegAsm.exe	83
PID 968 wrote to memory of 3364	968	RegAsm.exe	83
PID 968 wrote to memory of 3364	968	RegAsm.exe	83
PID 968 wrote to memory of 3364	968	RegAsm.exe	83
PID 968 wrote to memory of 3364	968	RegAsm.exe	83
PID 968 wrote to memory of 3364	968	RegAsm.exe	83
PID 968 wrote to memory of 2512	968	RegAsm.exe	94
PID 968 wrote to memory of 2512	968	RegAsm.exe	94
PID 2512 wrote to memory of 3276	2512	Client.exe	95
PID 2512 wrote to memory of 3276	2512	Client.exe	95
PID 2512 wrote to memory of 3276	2512	Client.exe	95
PID 2512 wrote to memory of 3276	2512	Client.exe	95
PID 2512 wrote to memory of 3276	2512	Client.exe	95
PID 2512 wrote to memory of 3276	2512	Client.exe	95
PID 2512 wrote to memory of 3276	2512	Client.exe	95
PID 3276 wrote to memory of 3508	3276	RegAsm.exe	96
PID 3276 wrote to memory of 3508	3276	RegAsm.exe	96
PID 3276 wrote to memory of 3508	3276	RegAsm.exe	96
PID 3276 wrote to memory of 3508	3276	RegAsm.exe	96
PID 3276 wrote to memory of 3508	3276	RegAsm.exe	96
PID 3276 wrote to memory of 3508	3276	RegAsm.exe	96
PID 3276 wrote to memory of 3508	3276	RegAsm.exe	96
PID 3276 wrote to memory of 3508	3276	RegAsm.exe	96
PID 3276 wrote to memory of 1496	3276	RegAsm.exe	98
PID 3276 wrote to memory of 1496	3276	RegAsm.exe	98
PID 3276 wrote to memory of 1496	3276	RegAsm.exe	98
PID 1496 wrote to memory of 3232	1496	vbc.exe	100
PID 1496 wrote to memory of 3232	1496	vbc.exe	100
PID 1496 wrote to memory of 3232	1496	vbc.exe	100

C:\Users\Admin\AppData\Local\Temp\e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e612faf3c6e6b0fd54efde7cdd819750_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3364
- - C:\Users\Admin\AppData\Roaming\Client.exe
    "C:\Users\Admin\AppData\Roaming\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      4⤵
      Drops startup file
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k3354-xa.cmdline"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F39.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB284857572349A0971DC76AF4AC98.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

Filesize
20B

MD5
b3ac9d09e3a47d5fd00c37e075a70ecb

SHA1
ad14e6d0e07b00bd10d77a06d68841b20675680b

SHA256
7a23c6e7ccd8811ecdf038d3a89d5c7d68ed37324bae2d4954125d9128fa9432

SHA512
09b609ee1061205aa45b3c954efc6c1a03c8fd6b3011ff88cf2c060e19b1d7fd51ee0cb9d02a39310125f3a66aa0146261bdee3d804f472034df711bc942e316

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWfhaRCl.txt

Filesize
84B

MD5
8501ae9436d6f64cd1b89e7e8f5bcb2a

SHA1
f5cb36758c1652565a9aa02163aedb36e462f65f

SHA256
cbc274cfc17623393262e3746fa61caaf8ecf989125ebdb8a24f951224ae9780

SHA512
b46c9ef42fc7b9fc0c2df39c75332a68b6a3e1860ad0b488f161efe1fe07ff96845f75c6273449b635a2694fb7c2b4d1875fc4303945437c309d47ef101cc50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LWfhaRCl.txt

Filesize
41B

MD5
ddacb8d91a476532677016ca8fa15154

SHA1
3e0ea6c24c766b6f05e1a36f47414bfa9f2cffb7

SHA256
fc66ce5a321ced54b4372b6b3933176680cfe42de956743e445b24ae53d24a65

SHA512
e61447050e38b910c9b95f0f203efc6be7c357183482c0de56979c29c1896b997e8b6c872558d13227e13b3aae1ce0934c861f3a718201b68539329d312980f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F39.tmp

Filesize
1KB

MD5
a3bd64c1c5fcf6c480dea12d9961f7e3

SHA1
80583b4aec1222e8518610af1cc1ef61d7ed413d

SHA256
4274b984c3cc4a17bd9b7fab04895ebf3a1ff5a5afdc68c0f20b598021f1d18e

SHA512
9529a9accb52ae1faf0e9805f7037f5289a7ff397907c3ddd18372eefb7bf70e8ba9d86dc2844cdd57aad50c196ab8a81e538dfa6eb9f58f591cef2b09aecfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3354-xa.0.vb

Filesize
151B

MD5
3eaac74aef65a953292fabe1ebbec9cc

SHA1
87e4e7c03a4f1b0e9a9b4655079b0e1d515de8f9

SHA256
9c1a56f9ce4f5542a08e566bb89a09a5b7f10a927431c3b2dcc0617e930cbfa0

SHA512
9be6406b9192f616df24cfa282fa6801672fdb7227db34ebf359ed80400f6cefb57616552ba11c0a6da6a6835f0b29eda0c685cc3fd1e12eca26fb8b7945bf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\k3354-xa.cmdline

Filesize
194B

MD5
04231652e9f527cbc6ecc24cb641c063

SHA1
239e123d4085f3c5ab87c2a216a1376568743b3f

SHA256
c6496e90efe0c5d2ae3a2d174b5f59bc8994f5636c407c245f035b52da1c9f8c

SHA512
78e21baa66c25d378000c05feb88c6c36d61fd79681d008a5d5aaa3c6bc6910f7a7bdaa315a1aed9beed7854b7ab18a2f751d582612f0d7eac84406753f1e959

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFB284857572349A0971DC76AF4AC98.TMP

Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
21KB

MD5
e612faf3c6e6b0fd54efde7cdd819750

SHA1
ce59575a14908d3ae8059ea2f116085102d941c5

SHA256
ed1dcba995ed1ca1102131986fa0ad453e2443e1beb614f243c7b420e1a8ab46

SHA512
0aca9d1c79b8387a22fbca20163131e7c4d8624422cf1a9305652a43ab630c7de2810bbd94b77dff86713f7d68c23c9ad91c5ca96d17398cfb11d45e345bf102

Download Submit
memory/968-8-0x00000000749F2000-0x00000000749F3000-memory.dmp

Filesize
4KB

Download
memory/968-18-0x00000000749F2000-0x00000000749F3000-memory.dmp

Filesize
4KB

Download
memory/968-9-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-29-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-11-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/968-19-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/1432-7-0x00007FF86E240000-0x00007FF86EBE1000-memory.dmp

Filesize
9.6MB

Download
memory/1432-0-0x00007FF86E4F5000-0x00007FF86E4F6000-memory.dmp

Filesize
4KB

Download
memory/1432-10-0x00007FF86E240000-0x00007FF86EBE1000-memory.dmp

Filesize
9.6MB

Download
memory/1432-4-0x000000001C620000-0x000000001C682000-memory.dmp

Filesize
392KB

Download
memory/1432-3-0x000000001BAE0000-0x000000001BB86000-memory.dmp

Filesize
664KB

Download
memory/1432-1-0x00007FF86E240000-0x00007FF86EBE1000-memory.dmp

Filesize
9.6MB

Download
memory/1432-2-0x000000001C150000-0x000000001C61E000-memory.dmp

Filesize
4.8MB

Download
memory/3276-31-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3364-17-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/3364-15-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/3364-14-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/3364-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download