revengerat | f10c42d174ddd54feb7137a49807904d489b9b7345a032a7b393b7e8f612d9e4

General

Target

JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe
Size

57KB
MD5

19c8f7ceabfd03accfcbfb8698aabdd2
SHA1

7450580ec60ad5c82d6be51cbcf7f9a3cf55e25f
SHA256

f10c42d174ddd54feb7137a49807904d489b9b7345a032a7b393b7e8f612d9e4
SHA512

cb3507d419a7368665d32f255ddb830776a0f2d01287f9a8b559a53aaaa06d04f2396da8066553cf73e7e87e090f7bf3434ace5384a7426883db6ca90182ebe4
SSDEEP

768:9/NrSYzvletjumiFzI35f+rouhpW05clQvmNfA9EZ4UENQ2TA/:+YrEjiNIl+rouhpW0cfNfA9pUEA

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x000b000000023b97-10.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer-4k	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer-4k.exe	vbc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer-4k	TeamViewer-4k.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer-4k	TeamViewer-4k.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer-4k.vbs	TeamViewer-4k.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer-4k.js	TeamViewer-4k.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer-4k.lnk	TeamViewer-4k.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TeamViewer-4k.URL	TeamViewer-4k.exe

Executes dropped EXE 2 IoCs

pid	Process
3820	TeamViewer-4k.exe
1616	TeamViewer-4k.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4kTEAM = "C:\\Users\\Admin\\AppData\\Roaming\\TeamViewer-4k.exe"	TeamViewer-4k.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer-4k.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer-4k.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4496	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe
Token: SeDebugPrivilege	3820	TeamViewer-4k.exe
Token: SeDebugPrivilege	1616	TeamViewer-4k.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3820	4692	JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe	91
PID 4692 wrote to memory of 3820	4692	JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe	91
PID 4692 wrote to memory of 3820	4692	JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe	91
PID 3820 wrote to memory of 3576	3820	TeamViewer-4k.exe	92
PID 3820 wrote to memory of 3576	3820	TeamViewer-4k.exe	92
PID 3820 wrote to memory of 3576	3820	TeamViewer-4k.exe	92
PID 3576 wrote to memory of 2884	3576	vbc.exe	94
PID 3576 wrote to memory of 2884	3576	vbc.exe	94
PID 3576 wrote to memory of 2884	3576	vbc.exe	94
PID 3820 wrote to memory of 4496	3820	TeamViewer-4k.exe	95
PID 3820 wrote to memory of 4496	3820	TeamViewer-4k.exe	95
PID 3820 wrote to memory of 4496	3820	TeamViewer-4k.exe	95

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_19c8f7ceabfd03accfcbfb8698aabdd2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\AppData\Roaming\TeamViewer-4k.exe
  "C:\Users\Admin\AppData\Roaming\TeamViewer-4k.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ibsbiy1z.cmdline"
    3⤵
    - Drops startup file
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB188.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc700E91A6916F4B3EBD3977C3292A6080.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "4kTEAM" /tr "C:\Users\Admin\AppData\Roaming\TeamViewer-4k.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4496

C:\Users\Admin\AppData\Roaming\TeamViewer-4k.exe
C:\Users\Admin\AppData\Roaming\TeamViewer-4k.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB188.tmp

Filesize
1KB

MD5
0760b1bd6feecab1ba29367d42a52ab5

SHA1
19ee7fb08a28212af36687d2d9e2b878b4186038

SHA256
6e0aa99e8177c7a889b820503d8e299d1189809ce1b1376e0ca2379cff2fe3b6

SHA512
28b642f890a662fe70bceea501e6014f1204e6d0523c5afa84deba191f054cf2008652eb7156efe6023e11fdc8f15b8aee871b948a247293e18ee89a69f4a852

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibsbiy1z.0.vb

Filesize
158B

MD5
6f08a6843d6aab5c6c2f04127f9260a2

SHA1
545eff96fbc0d3c3d6759d158b71705904613114

SHA256
0737ebc854708f9f2ec8707c8e83adb8e1a4e8f83074cfc77a1eba0e0949f3a4

SHA512
2753cdb89404cd8147a524b4c2ce71317ad51b02a7bde5fa473877e828303b6302b8b82c0d3ca7ce62e901aa24c82d44da720f687b694a770fedaef913c1c3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibsbiy1z.cmdline

Filesize
197B

MD5
ccc5df2090ecb63c2d7d42f3166f35e7

SHA1
e8a86c489810321a350fa085778b64387293d9d4

SHA256
d77ca15ca721a03f276a7f18766967ba1f4caff5a9cd5af474287d6716fb68c2

SHA512
24ea532c2dd6c214a0bbd45e2d72f50098fdd12a3b14d4c47b0fdeef034656c6a2854a7df9cd64a90f131e17093bc8b46c315b707ceec13de8db54c0eddf3cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc700E91A6916F4B3EBD3977C3292A6080.TMP

Filesize
668B

MD5
b2e2ac45261982d0eb75d0a4f9f7a4c5

SHA1
ab1741199faf69b1163a6ddaf5a739ede02858ab

SHA256
1a8da5a0397488b826932d7584733a714005a6e1f720da484d56e4f9677e96ae

SHA512
0a87dc721ffdc45f892529a0a2edc454bf87ec53e0b43cc1d0561e138493533ba244db9cc8395a061120d4323dc8b20b298a0d76da66dda429a6cb3d69d5d07a

Download Submit
C:\Users\Admin\AppData\Roaming\TeamViewer-4k.exe

Filesize
57KB

MD5
19c8f7ceabfd03accfcbfb8698aabdd2

SHA1
7450580ec60ad5c82d6be51cbcf7f9a3cf55e25f

SHA256
f10c42d174ddd54feb7137a49807904d489b9b7345a032a7b393b7e8f612d9e4

SHA512
cb3507d419a7368665d32f255ddb830776a0f2d01287f9a8b559a53aaaa06d04f2396da8066553cf73e7e87e090f7bf3434ace5384a7426883db6ca90182ebe4

Download Submit
memory/3576-46-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/3576-37-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/3820-20-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/3820-21-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/3820-19-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/3820-22-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4692-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/4692-18-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4692-5-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4692-4-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4692-3-0x00000000750B2000-0x00000000750B3000-memory.dmp

Filesize
4KB

Download
memory/4692-2-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download
memory/4692-1-0x00000000750B0000-0x0000000075661000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads