revengerat

General

Target

37626322_1871171556512529_4700140521996156928_n.jpg
Size

62KB
Sample

240921-pcnm1s1erb
MD5

fb2e01e7199ecdeae00c5764a4005ed5
SHA1

2387cbd2f3ad41e2596dfb987baf65ae3b229db3
SHA256

bab52efb1c11cba17e9ae78fdb51c2d8c825af93538eee05b12b2e30b8a0d6e2
SHA512

2b959bfe22e321db451b6f1681880ceda9d6ef660547ef0601feb442d6bb1079377cd4da782821428a23931480e668685ab9058ee6945a41f53a95986f5d2794
SSDEEP

1536:cRF5Wepb57lB9oqjVTs5sTkxO+VWhLVIB4kd+Wes1LLOsqBMQ:c9Ws5f9JSBWRVIB4cMspL7Q

Score

10^/10

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Targets

- Target
  
  37626322_1871171556512529_4700140521996156928_n.jpg
- Size
  
  62KB
- MD5
  
  fb2e01e7199ecdeae00c5764a4005ed5
- SHA1
  
  2387cbd2f3ad41e2596dfb987baf65ae3b229db3
- SHA256
  
  bab52efb1c11cba17e9ae78fdb51c2d8c825af93538eee05b12b2e30b8a0d6e2
- SHA512
  
  2b959bfe22e321db451b6f1681880ceda9d6ef660547ef0601feb442d6bb1079377cd4da782821428a23931480e668685ab9058ee6945a41f53a95986f5d2794
- SSDEEP
  
  1536:cRF5Wepb57lB9oqjVTs5sTkxO+VWhLVIB4kd+Wes1LLOsqBMQ:c9Ws5f9JSBWRVIB4cMspL7Q
Score

10^/10

discovery defense_evasion persistence revengerat guest evasion execution impact macro macro_on_action privilege_escalation ransomware stealer trojan credential_access exploit upx
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- UAC bypass
  evasion trojan
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- RevengeRat Executable
  stealer
- Blocklisted process makes network request
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables cmd.exe use via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Modifies Windows Firewall
  evasion
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4