revengerat | 2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896

General

Target

2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
Size

1.9MB
MD5

335457b24d4fb19bfd9a711f5b3deaf0
SHA1

2c9f74a030a77c6b2fc552ab1fd0ef48a54eca68
SHA256

2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896
SHA512

a603b6e5efb0ba3db23f01cbafd73fe6e533d9187c9c24aefffbbee42d4073a85278e33a312ea2da720e40c9de4c17cd8cef87fe39bfb8ab577c278abb909842
SSDEEP

49152:E91DSeK3K1ovWnZ5Yw9NMZ6Pkew933XyrCCC0:MNSeb1n5YEi0Pm93y

Score

10^/10

revengerat discovery persistence stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0004000000004ed7-14.dat	revengerat

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "svchost.exe"	WipeShadow.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	WipeShadow.exe

Executes dropped EXE 2 IoCs

pid	Process
2588	WipeShadow.exe
2224	WipeShadow.exe

Loads dropped DLL 2 IoCs

pid	Process
2828	cmd.exe
2588	WipeShadow.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	WipeShadow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	WipeShadow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WipeShadow.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2588	WipeShadow.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
Token: SeDebugPrivilege	2588	WipeShadow.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2864	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	32
PID 1752 wrote to memory of 2864	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	32
PID 1752 wrote to memory of 2864	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	32
PID 1752 wrote to memory of 2864	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	32
PID 1752 wrote to memory of 2428	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	34
PID 1752 wrote to memory of 2428	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	34
PID 1752 wrote to memory of 2428	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	34
PID 1752 wrote to memory of 2428	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	34
PID 1752 wrote to memory of 2828	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	36
PID 1752 wrote to memory of 2828	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	36
PID 1752 wrote to memory of 2828	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	36
PID 1752 wrote to memory of 2828	1752	2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe	36
PID 2828 wrote to memory of 2588	2828	cmd.exe	38
PID 2828 wrote to memory of 2588	2828	cmd.exe	38
PID 2828 wrote to memory of 2588	2828	cmd.exe	38
PID 2828 wrote to memory of 2588	2828	cmd.exe	38
PID 2828 wrote to memory of 2588	2828	cmd.exe	38
PID 2828 wrote to memory of 2588	2828	cmd.exe	38
PID 2828 wrote to memory of 2588	2828	cmd.exe	38
PID 2588 wrote to memory of 2224	2588	WipeShadow.exe	39
PID 2588 wrote to memory of 2224	2588	WipeShadow.exe	39
PID 2588 wrote to memory of 2224	2588	WipeShadow.exe	39
PID 2588 wrote to memory of 2224	2588	WipeShadow.exe	39
PID 2588 wrote to memory of 2224	2588	WipeShadow.exe	39
PID 2588 wrote to memory of 2224	2588	WipeShadow.exe	39
PID 2588 wrote to memory of 2224	2588	WipeShadow.exe	39

C:\Users\Admin\AppData\Local\Temp\2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe
"C:\Users\Admin\AppData\Local\Temp\2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896N.exe"
1⤵
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Delete /TN "Update\dcba3215-9a85-40cf-9198-e7887aed0f54" /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Update\dcba3215-9a85-40cf-9198-e7887aed0f54" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22198683.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /K "C:\ProgramData\WipeShadow.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\ProgramData\WipeShadow.exe
    C:\ProgramData\WipeShadow.exe
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\ProgramData\WipeShadow.exe
      C:\ProgramData\WipeShadow.exe
      4⤵
      Executes dropped EXE
      PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Event Triggered Execution

1

T1546

Image File Execution Options Injection

1

T1546.012

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp22198683.tmp

Filesize
1KB

MD5
e954647b595833598510fb7cfcbdbac4

SHA1
e843d0ce9ddf2d5abf7bb3e2b08d15d5d8be907c

SHA256
c397ba77f80fcffff7198c4be4b57f22fe1d5451437c9e27a158857ef22fb889

SHA512
5c5eec8c26e2c1176067880c9debd422514e0a06d71387d4e5e250606012be30dabf2a5da9a9bc8f40840d437e14936a594855cdb7a138b288d688b83d01060d

Download Submit
\ProgramData\WipeShadow.exe

Filesize
1.9MB

MD5
335457b24d4fb19bfd9a711f5b3deaf0

SHA1
2c9f74a030a77c6b2fc552ab1fd0ef48a54eca68

SHA256
2909c8b92462475f5ae4c31fd0d00160ffda8bbcbbea6c1b5cae80aecff0f896

SHA512
a603b6e5efb0ba3db23f01cbafd73fe6e533d9187c9c24aefffbbee42d4073a85278e33a312ea2da720e40c9de4c17cd8cef87fe39bfb8ab577c278abb909842

Download Submit
memory/1752-0-0x0000000074381000-0x0000000074382000-memory.dmp

Filesize
4KB

Download
memory/1752-1-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-2-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-3-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-4-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-5-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-6-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/1752-13-0x0000000074380000-0x000000007492B000-memory.dmp

Filesize
5.7MB

Download
memory/2588-18-0x0000000005ED0000-0x0000000005ED3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads