revengerat | acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595

General

Target

acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
Size

17KB
MD5

af48897e401a79baf8086585c18cf8fe
SHA1

44e9a2699d07cbba45493000287ab5dfbe86df77
SHA256

acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595
SHA512

c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1
SSDEEP

192:NWnNnAi9HEsjSXOLqaJN5MoiwH7abHG+jR9nsVVI+2ky0C+2c:NWnJ9HaOEoiwH7ab9sVK+2ky0C+2c

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0008000000023471-13.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\imd.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
4564	IMD.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
Token: SeDebugPrivilege	4564	IMD.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4564	2924	acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe	93
PID 2924 wrote to memory of 4564	2924	acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe	93
PID 4564 wrote to memory of 640	4564	IMD.exe	94
PID 4564 wrote to memory of 640	4564	IMD.exe	94
PID 640 wrote to memory of 5080	640	vbc.exe	96
PID 640 wrote to memory of 5080	640	vbc.exe	96

C:\Users\Admin\AppData\Local\Temp\acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe
"C:\Users\Admin\AppData\Local\Temp\acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rkjdnaii.cmdline"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBCEFE972D76B4631A69C2A6144ACB48.TMP"
      4⤵
      PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC6C6.tmp

Filesize
1KB

MD5
18efda4f64259f4c38f5a5e70fc59359

SHA1
79f55e34024f0a2cdf23e19d18313bff85a7f9bd

SHA256
b93af5b44cdf377c70dd335530b2efaf7bc876794ffdf15b4ac488d18b54aab0

SHA512
ea482b35cdd12d7bade0e9d6757235257fe2922d629f9b2bd4d486ba604202002ed988a82680d7e9ac7f295d06c54a2054f84befd2da535897432c7ff0f65884

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkjdnaii.0.vb

Filesize
175B

MD5
766a80b102cc61cdfdef05f5d41ecf49

SHA1
8fc5687cf17d514917cb83ecb78a319b64c2017f

SHA256
70b93e450b765949ac432258843141724da8f4979079e124aa80f0f9f1e4e14e

SHA512
975aead67d67998e892f7e446d3b86b014f89a0aba3aecc77d596f56eef2f45c8b7c1cc161e7a6c911b07074391a8cb74dae50d61d6dd8905866d83730a10003

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkjdnaii.cmdline

Filesize
191B

MD5
aacac2ad773137de0dd0b5758086d46e

SHA1
10996902bed33c114b8cd9819c6c36652985a246

SHA256
f1ba0ccf77a3622edd1aaeff6f08f4f9d2b8d3d4aadcb08be4e2d165f136c0c9

SHA512
a4b363a7a40c45dcbfd7324b4d13f483456e2bbbee3873923cbbed86e35710686bcd8f1e167c9c3336f26337d961f7da797a2bc79ac2d24bf9fd90850f53eabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBCEFE972D76B4631A69C2A6144ACB48.TMP

Filesize
628B

MD5
f4204a25f9fd3b86c1af2514bee21827

SHA1
f8ba207bc7b2cc6b0f5f5d43284019f78ca72e68

SHA256
38aa7f22bdb395980c540ec2057562e5678607f8c573c82a68c074d3445b3fc4

SHA512
240a811734eecc6c48ebcbf6f39b4afc1d3398e248ba7062f2eba2b2e44a9d28a526aeef40dff833e2eaed286209668d926e50fd1b9f3b4e5bd2704c938733d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\IMD.exe

Filesize
17KB

MD5
af48897e401a79baf8086585c18cf8fe

SHA1
44e9a2699d07cbba45493000287ab5dfbe86df77

SHA256
acec05fb087440c24b6ac8a15051b8fc7fdfd92bdf458b165e1e19265395b595

SHA512
c65d348d3225e86909e33e9ef9717be72ea7f934b673f82748907f927c459c39e739dcb3ebcfc029b3fdd81d7a528cd2a025d01b28ded04a604a6375b13b8ea1

Download Submit
memory/2924-8-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download
memory/2924-4-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download
memory/2924-7-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download
memory/2924-0-0x00007FFAC7125000-0x00007FFAC7126000-memory.dmp

Filesize
4KB

Download
memory/2924-5-0x000000001BFE0000-0x000000001C042000-memory.dmp

Filesize
392KB

Download
memory/2924-2-0x000000001B940000-0x000000001BE0E000-memory.dmp

Filesize
4.8MB

Download
memory/2924-19-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download
memory/2924-1-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download
memory/2924-3-0x000000001BEC0000-0x000000001BF66000-memory.dmp

Filesize
664KB

Download
memory/2924-6-0x00007FFAC7125000-0x00007FFAC7126000-memory.dmp

Filesize
4KB

Download
memory/4564-22-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download
memory/4564-21-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download
memory/4564-20-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download
memory/4564-18-0x00007FFAC6E70000-0x00007FFAC7811000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing