revengerat | 8d8a9d8dbce44201be05da52db0c628c5ee06ae550dbf398c456316d7b58497d

Resubmissions

12-10-2024 06:19

241012-g3lx4sxgkh 7

12-10-2024 06:16

241012-g1nzpaxfnc 10

Analysis

max time kernel
126s
max time network
121s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-10-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revenge-RAT v3 - NYANxCAT.7z
Size

9.0MB
MD5

d0bdec0ca22aa6cdeae1abfb44f94ed9
SHA1

e5664aaf5b0cbaad33bbb6fb0389721cc863e51f
SHA256

8d8a9d8dbce44201be05da52db0c628c5ee06ae550dbf398c456316d7b58497d
SHA512

105fdf3867f2f56661756bc3356718b18fcf301584c126c9e68d1cdd2bc2b34b773325d0f8501fbb994001d6dc44a6e7765ff1286c0a55e9ff12b82602ba0a5a
SSDEEP

196608:CVxJlefNigwBUIiGrlLVM5c0h1Jfyc1LcORe:KJlefQl+IiGZVM5cK1J6uY1

Score

10^/10

revengerat guest discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

127.0.0.1:1337

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000700000001ac99-246.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2428	Revenge-RAT v0.3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\NodeSlot = "3"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000008458466d100041646d696e003c0009000400efbe845809628458466d2e000000935201000000010000000000000000000000000000008d817600410064006d0069006e00000014000000	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e003100000000004c592a3211004465736b746f7000680009000400efbe845809624c592a322e0000009f5201000000010000000000000000003e000000000005ac9f004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	Revenge-RAT v0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7800310000000000845809621100557365727300640009000400efbe724a0b5d845809622e000000320500000000010000000000000000003a000000000093fa000155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 6c003100000000004c5934321000524556454e477e312e330000520009000400efbe4c5928324c5934322e0000001fac0100000008000000000000000000000000000000d0b7030152006500760065006e00670065002d005200410054002000760030002e00330000001a000000	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Revenge-RAT v0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Revenge-RAT v0.3.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4804	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1888	7zFM.exe
1888	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1888	7zFM.exe
2428	Revenge-RAT v0.3.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1888	7zFM.exe
Token: 35	1888	7zFM.exe
Token: SeSecurityPrivilege	1888	7zFM.exe
Token: SeSecurityPrivilege	1888	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1888	7zFM.exe
1888	7zFM.exe
1888	7zFM.exe
2428	Revenge-RAT v0.3.exe
2428	Revenge-RAT v0.3.exe
2428	Revenge-RAT v0.3.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2428	Revenge-RAT v0.3.exe
2428	Revenge-RAT v0.3.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2428	Revenge-RAT v0.3.exe
4804	explorer.exe
4804	explorer.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 4860	1888	7zFM.exe	74
PID 1888 wrote to memory of 4860	1888	7zFM.exe	74
PID 2428 wrote to memory of 4492	2428	Revenge-RAT v0.3.exe	79
PID 2428 wrote to memory of 4492	2428	Revenge-RAT v0.3.exe	79
PID 2428 wrote to memory of 4492	2428	Revenge-RAT v0.3.exe	79
PID 2428 wrote to memory of 4176	2428	Revenge-RAT v0.3.exe	81
PID 2428 wrote to memory of 4176	2428	Revenge-RAT v0.3.exe	81

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.7z"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0678A087\Read Me.txt
  2⤵
  PID:4860

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3012

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /QUIET "C:\Users\Admin\AppData\Local\Temp\RV.IL" /output:"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Client.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4492
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe" /select,C:\Users\Admin\Desktop\Revenge-RAT v0.3\Client.exe
  2⤵
  PID:4176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE0670F767\Revenge-RAT v0.3\Icons\Onedrive.ico

Filesize
361KB

MD5
257440f1449c4505669d278bf431405c

SHA1
5235870185889ffa48234f1f4af14647634c19ef

SHA256
a3c9e33dafb4c829a57a81ba8a6d94c2da9b343b6f9d6c933a4b5b88bbd96495

SHA512
d99bf41a9017dcef261fc9886887fdeb3d3b6db806d92d8f76c783764caa7f94738b7258750a5fb26cb6069f471d1acfb55dc79db5855a5619e9d864e74761a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0678A087\Read Me.txt

Filesize
1KB

MD5
3cf9a739eccb3441c1105ecf216326fa

SHA1
36b1840432d29980de54203592c439ff4c372aa3

SHA256
d399ba346c5903e726adaf939624084c6d88eed19b5bae40f9a716c2a091ea2a

SHA512
ea5c0cc60a8b86358eecd75d2a43ec09482243a31732dd8a69a4d59117dcd7df8fe2a90a865e4de02ede91fb8ec2987354eea926af3e2a47725021d20040791c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RV.IL

Filesize
200KB

MD5
3af4e8e849a43c5bf1a73bb9edfc573c

SHA1
e3504365f8e3e92ec445e2e4595559547f5ae695

SHA256
21718bf05b7827bf9f285579d74b241f8490214099d2c53969344c283a509ae6

SHA512
4dd6b0504791ff66d0485b57978af97e3723b13b2f1496a046108f75a18780f9bb6dd9e1bc0418115cea5e3b9c2a5ac7ccdf1e1b13995c7b661dd0daeb90ba78

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Client.exe

Filesize
17KB

MD5
d25b7e6e4d50883de65148a0d80ce583

SHA1
b63939c3d2b5da6baa0719f69efad46810377def

SHA256
db5a396a2847172bec2988edc0a27bf87cc2641c905aaee3ee28cde04016675b

SHA512
65efe6e83169fe06854418fe30d9b27ad703ca17e6739de8e836686f9ea6066801df8d96f3350968a4c6ab99fd06471264cd566b74234b7fd279a5610cf37fbb

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Config.XML

Filesize
820B

MD5
b6052e9cfe99fa938e45b517e433f6c9

SHA1
981305233b439f561f4c01504e998c86b78bfc58

SHA256
334f0d66b796f485b95ae1c9d0acf108daa3fef3f69d489cb61135421d919b09

SHA512
7e68924c8579d8792b25c3df80c70f63ceeba4f6353ebc92e28ccd4fa8ff875226af9ed47de26db366ba81c3329bc976fba79167e9a1dd4c431563b3f9e4d372

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Database\2024-10-12\6-17-36 AM.log

Filesize
98B

MD5
aa671be301dc8f2ce001fd5931d4f950

SHA1
449c579e86de674d08ef8b77b57169e779174940

SHA256
75bf7190e6771ab117c5dd13fe31e8e12c0a418dbe134f49051dad5f5258ac4c

SHA512
28e9960138e4cbc8909ce0bb27d5c912de86040759cdcbcc0d427aa3a340ca480a833aa17a784aca16550f7689b6224df4ee70850633f8b568521c6517d130c1

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\GeoIP.dat

Filesize
1021KB

MD5
953c073031a08211d72daeec0551a20d

SHA1
de7441086bf49d7e590172ee07ca9ccc3d690298

SHA256
6615e1e1d8e9ee5ae891dcc43fdd050787f28227369eed50ab3403b171a187f2

SHA512
076de07d270878c4846c0d091a76cec925d57399bdf937791232a5363bee7bdc9f14418530593f1a509fe0df3db0454793635b70feb913413829e1bf2c85b8a3

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Plugin Compiler.exe

Filesize
534KB

MD5
fb315d1ae339c9506033026e78500199

SHA1
97dc5017a8a796750567fcd7b5bfb4be2233a5ae

SHA256
2f4fd04bbf02ef75845bfb287e5abc4fb7ae9a81776142b573eadadbf28fbe81

SHA512
895fc9f3c10bcab8c30fd7773820130b7d8d7e2145226052fedbb210b564db39e9078666762836235a8c6c40c49a3bb2b41f49f7753c97c2f09370a0327e154c

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\RV.IL

Filesize
199KB

MD5
1d53a65db11584e837b174ebe613b420

SHA1
da5a9520b87e8e3948e50efcc38e57ac81b5b7a5

SHA256
55b1ecc7dbf85391473ee013e1512ade5d4d38b6f784cf34155b998f884b212c

SHA512
3d2d5b364d4f1d184434d8c45121352a383ce17c694329d55133392d9112ded08be96d59a6aaf797c5c79e72c23e17c80b7b2ae2c37d17df8a8e630c146b6222

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe

Filesize
13.7MB

MD5
3a401ee7f0ebb09564f82891521b5e27

SHA1
47b8d2a42e4054b5dcac9f71454c9c3c285998d7

SHA256
e2a3f5a0149222888c9e48ff828f35b3b4ace7d6b21e4d55a1bb7a7b3f76fd7f

SHA512
b13556841b9db9f009d65b981abbb6690a6bfc6a7289c10c981d2303d66624ca8d80c2f545045409890cddc539794540db66dd520531bf17a4660c001efbee13

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Theme Compiler.exe

Filesize
489KB

MD5
32ca48211b21af0bcc003d4433319671

SHA1
17e7c3362bc9663ddd10a1add0b5f42bbe51bf83

SHA256
19c95ad5cf50f8c8273fcd4179c4878ebede832f9234955ac4fd4233b5b6a693

SHA512
7ce094cd520e5074ec45b9eb23a09e2adc177233de0f17e63cdca124817c3dab4e412c3868aaf24b3efdf67ab7c7f00409bceb38ed5fcfbfc7673de3632b866e

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Themes\Default.XML

Filesize
288B

MD5
8236b11ddfa2da4eefdaea1fb5c5f055

SHA1
5c80687119c1b666af761b4504478581c156b535

SHA256
13f89672439f33200d4356090fc568b7fe708b27a40b419ce3f63e7c83efa775

SHA512
63cabfb5f2b369730b2380c6ad1004b0ac1a168a949804b9893cedd9cd12ebd5811595d7bd1a013f2b54362ffacef5fff1252f655a49d39c6475e984ad7e74c9

Download Submit
memory/2428-218-0x000002B1751A0000-0x000002B175F58000-memory.dmp

Filesize
13.7MB

Download