revengerat | c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
Size

69KB
MD5

4f423fbb6d7c31fd3cac2c3729e39762
SHA1

547daf4dc1fec5c0f81b6f63987f945b68e1f40a
SHA256

c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c
SHA512

0158a6a56840bedceafa05e59b69888cc6be21d29b64d2c54ede1b39b7a11e2a9ecf0ce4221801758baed98bff8e21b3487722334ecf31fbd5efc9fff5aa54a9
SSDEEP

1536:3OtU5/9U/H52Bw+RqX82e7thSxUzKU4dHy7JH14qwqMWchkx:eta/uou+Re5cnKU4dkt6WchI

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 2 IoCs

stealer

resource	yara_rule
behavioral2/memory/3948-3-0x0000000002C60000-0x0000000002C78000-memory.dmp	revengerat
behavioral2/memory/4336-13-0x0000000003070000-0x0000000003088000-memory.dmp	revengerat

Executes dropped EXE 1 IoCs

pid	Process
4132	Micosoft.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Micosoft.exe	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\Micosoft.exe	RegSvcs.exe
File opened for modification	C:\Windows\SysWOW64\Micosoft.exe	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3948 set thread context of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 4336 set thread context of 4044	4336	RegSvcs.exe	99
PID 4132 set thread context of 1140	4132	Micosoft.exe	107
PID 1140 set thread context of 1008	1140	RegSvcs.exe	111

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Micosoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
Token: SeDebugPrivilege	4336	RegSvcs.exe
Token: SeDebugPrivilege	4132	Micosoft.exe
Token: SeDebugPrivilege	1140	RegSvcs.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 3948 wrote to memory of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 3948 wrote to memory of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 3948 wrote to memory of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 3948 wrote to memory of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 3948 wrote to memory of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 3948 wrote to memory of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 3948 wrote to memory of 4336	3948	4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe	94
PID 4336 wrote to memory of 4044	4336	RegSvcs.exe	99
PID 4336 wrote to memory of 4044	4336	RegSvcs.exe	99
PID 4336 wrote to memory of 4044	4336	RegSvcs.exe	99
PID 4336 wrote to memory of 4044	4336	RegSvcs.exe	99
PID 4336 wrote to memory of 4044	4336	RegSvcs.exe	99
PID 4336 wrote to memory of 4044	4336	RegSvcs.exe	99
PID 4336 wrote to memory of 4044	4336	RegSvcs.exe	99
PID 4336 wrote to memory of 4044	4336	RegSvcs.exe	99
PID 4336 wrote to memory of 4132	4336	RegSvcs.exe	103
PID 4336 wrote to memory of 4132	4336	RegSvcs.exe	103
PID 4336 wrote to memory of 4132	4336	RegSvcs.exe	103
PID 4132 wrote to memory of 1140	4132	Micosoft.exe	107
PID 4132 wrote to memory of 1140	4132	Micosoft.exe	107
PID 4132 wrote to memory of 1140	4132	Micosoft.exe	107
PID 4132 wrote to memory of 1140	4132	Micosoft.exe	107
PID 4132 wrote to memory of 1140	4132	Micosoft.exe	107
PID 4132 wrote to memory of 1140	4132	Micosoft.exe	107
PID 4132 wrote to memory of 1140	4132	Micosoft.exe	107
PID 4132 wrote to memory of 1140	4132	Micosoft.exe	107
PID 1140 wrote to memory of 1008	1140	RegSvcs.exe	111
PID 1140 wrote to memory of 1008	1140	RegSvcs.exe	111
PID 1140 wrote to memory of 1008	1140	RegSvcs.exe	111
PID 1140 wrote to memory of 1008	1140	RegSvcs.exe	111
PID 1140 wrote to memory of 1008	1140	RegSvcs.exe	111
PID 1140 wrote to memory of 1008	1140	RegSvcs.exe	111
PID 1140 wrote to memory of 1008	1140	RegSvcs.exe	111
PID 1140 wrote to memory of 1008	1140	RegSvcs.exe	111

C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f423fbb6d7c31fd3cac2c3729e39762_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044
- - C:\Windows\SysWOW64\Micosoft.exe
    "C:\Windows\system32\Micosoft.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
142B

MD5
8c0458bb9ea02d50565175e38d577e35

SHA1
f0b50702cd6470f3c17d637908f83212fdbdb2f2

SHA256
c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

SHA512
804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WawrHJfWf.txt

Filesize
84B

MD5
97b5144a6507e68b558ef2c85c5ef23d

SHA1
3b3a5db27bdfea8a463df14e92301e57e194f492

SHA256
7b2d574fa976abf4814d889601a7a8fc84575a97d0a7d715e257b890c931bc42

SHA512
96a0125b415a34efef6b33915bd6fd0e2a144d853560ca7235d1135fab7d8e7d6a814f86534c366cdacdcca0e3e1349102a39cbf3d790f7107efdd34354aefcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WawrHJfWf.txt

Filesize
32B

MD5
4a63c2de6de95f20781563620320bdfd

SHA1
6d1da625342dafb630e365914a09fac09a0c7fcb

SHA256
8a0ec55c9f5ecf4e81c9bed8b0be26c1e123614c40b9f281aeaaf6bcf0869634

SHA512
31e56e6f02338529887707aff9cb965e899be45ef806bbb4ab09695511b12e422f2dabd17c181170d38ff569592f21060ffa5ea059149b0fb51b80b0139becbf

Download Submit
C:\Windows\SysWOW64\Micosoft.exe

Filesize
69KB

MD5
4f423fbb6d7c31fd3cac2c3729e39762

SHA1
547daf4dc1fec5c0f81b6f63987f945b68e1f40a

SHA256
c5501222fa725c82f0e978d2bfdc1b8435dd7784b21e532531ec2e107077aa5c

SHA512
0158a6a56840bedceafa05e59b69888cc6be21d29b64d2c54ede1b39b7a11e2a9ecf0ce4221801758baed98bff8e21b3487722334ecf31fbd5efc9fff5aa54a9

Download Submit
memory/1008-41-0x0000000002A40000-0x0000000002A61000-memory.dmp

Filesize
132KB

Download
memory/3948-6-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download
memory/3948-5-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/3948-7-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/3948-8-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/3948-11-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/3948-4-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/3948-3-0x0000000002C60000-0x0000000002C78000-memory.dmp

Filesize
96KB

Download
memory/3948-2-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/3948-1-0x00000000008F0000-0x0000000000908000-memory.dmp

Filesize
96KB

Download
memory/3948-0-0x000000007500E000-0x000000007500F000-memory.dmp

Filesize
4KB

Download
memory/4044-19-0x0000000004FB0000-0x0000000004FEC000-memory.dmp

Filesize
240KB

Download
memory/4044-17-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4044-20-0x0000000004F70000-0x0000000004F91000-memory.dmp

Filesize
132KB

Download
memory/4044-21-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4044-23-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-16-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-15-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-14-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-36-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-13-0x0000000003070000-0x0000000003088000-memory.dmp

Filesize
96KB

Download
memory/4336-12-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download