revengerat | acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595

General

Target

acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
Size

17KB
MD5

af48897e401a79baf8086585c18cf8fe
SHA1

44e9a2699d07cbba45493000287ab5dfbe86df77
SHA256

acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595
SHA512

c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1
SSDEEP

192:NWnNnAi9HEsjSXOLqaJN5MoiwH7abHG+jR9nsVVI+2ky0C+2c:NWnJ9HaOEoiwH7ab9sVK+2ky0C+2c

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000c000000012268-9.dat	revengerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imd.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
2548	IMD.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
Token: SeDebugPrivilege	2548	IMD.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2548	2196	acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe	30
PID 2196 wrote to memory of 2548	2196	acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe	30
PID 2196 wrote to memory of 2548	2196	acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe	30
PID 2548 wrote to memory of 2368	2548	IMD.exe	31
PID 2548 wrote to memory of 2368	2548	IMD.exe	31
PID 2548 wrote to memory of 2368	2548	IMD.exe	31
PID 2368 wrote to memory of 1392	2368	vbc.exe	33
PID 2368 wrote to memory of 1392	2368	vbc.exe	33
PID 2368 wrote to memory of 1392	2368	vbc.exe	33

C:\Users\Admin\AppData\Local\Temp\acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
"C:\Users\Admin\AppData\Local\Temp\acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vtkrsvlo.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DF4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2DF3.tmp"
      4⤵
      PID:1392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2DF4.tmp

Filesize
1KB

MD5
f2b0119e4b1761418e6091ef38ddd60c

SHA1
c61fd92fb50a6ba4539df646ec1a4bbd688aa7e4

SHA256
908180691e2009a500cc77d9fb4a442509d5f35b0bfe5219d8d9e3443698c7e1

SHA512
53f21b925688c483335b471173fba888b99f05f04908a21f29034d818d076e6401e2df5c52ee9d631520bcaff143a97f28c130138e0c6e5c11d2f3102c9749d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2DF3.tmp

Filesize
628B

MD5
f4204a25f9fd3b86c1af2514bee21827

SHA1
f8ba207bc7b2cc6b0f5f5d43284019f78ca72e68

SHA256
38aa7f22bdb395980c540ec2057562e5678607f8c573c82a68c074d3445b3fc4

SHA512
240a811734eecc6c48ebcbf6f39b4afc1d3398e248ba7062f2eba2b2e44a9d28a526aeef40dff833e2eaed286209668d926e50fd1b9f3b4e5bd2704c938733d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtkrsvlo.0.vb

Filesize
175B

MD5
766a80b102cc61cdfdef05f5d41ecf49

SHA1
8fc5687cf17d514917cb83ecb78a319b64c2017f

SHA256
70b93e450b765949ac432258843141724da8f4979079e124aa80f0f9f1e4e14e

SHA512
975aead67d67998e892f7e446d3b86b014f89a0aba3aecc77d596f56eef2f45c8b7c1cc161e7a6c911b07074391a8cb74dae50d61d6dd8905866d83730a10003

Download Submit
C:\Users\Admin\AppData\Local\Temp\vtkrsvlo.cmdline

Filesize
191B

MD5
25f550d9416aba558fec2adaf3245238

SHA1
bb881916e40dc405f23f648b3caddcfbff5a4013

SHA256
571ec01caf0c19eb4bc99bfdce03b08ca740b0d1a2f8cb1f77b0e577dd9e69fa

SHA512
b0e5ba7fb74cd464cb55854329ea3ad0e5405e7d34b3cb3750d8653c48fe40e7f26b40772ddac98fffae6773d3a0d28df1b0c3a35096a9950f87eb7d0d8ee802

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe

Filesize
17KB

MD5
af48897e401a79baf8086585c18cf8fe

SHA1
44e9a2699d07cbba45493000287ab5dfbe86df77

SHA256
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595

SHA512
c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1

Download Submit
memory/2196-12-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-0-0x000007FEF642E000-0x000007FEF642F000-memory.dmp

Filesize
4KB

Download
memory/2196-4-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-3-0x000007FEF642E000-0x000007FEF642F000-memory.dmp

Filesize
4KB

Download
memory/2196-2-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2196-1-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-14-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-13-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-15-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-16-0x000007FEF6170000-0x000007FEF6B0D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing