Overview

overview

10

Static

static

10

Revenge.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    219s
  • max time network
    220s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07-01-2025 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Revenge.exe

  • Size

    20KB

  • MD5

    8ce9e623e44cdb2dbd292da43a90506f

  • SHA1

    09c00d2c83c5456ae168b8329a63befacaef004e

  • SHA256

    da1e65953f6cf5b06dc9c4e0f596d5c9997c2ec32aeb41e875816f10c74cb049

  • SHA512

    792e0cb35c0d4dd87a5f21d9ea7b154139676497373717150bfb629669bc59c799f8f8bbdeb763eab696e0cb85e94744af4c77441eaa7a6283511ef0654331f3

  • SSDEEP

    384:AX2yy5E7X152gLDQqb7sVKuBV1yhKr2534WCzYcHe+Z:Q2yy5Gl52uDp42h4XzYcHe+Z

Score
10/10
revengeratgueststealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

necatisoff-36486.portmap.host:36486

Mutex

RV_MUTEX-ETUKIWwiejYAo

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 50 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Revenge.exe
    "C:\Users\Admin\AppData\Local\Temp\Revenge.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\system32\algorhitm.exe
      "C:\Windows\system32\algorhitm.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
          PID:4744
        • C:\Windows\System32\Taskmgr.exe
          "C:\Windows\System32\Taskmgr.exe"
          3⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1016
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
          • Modifies registry class
          PID:4012
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
          dw20.exe -x -s 1588
          3⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4388
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1056

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System32\algorhitm.exe
      Filesize

      20KB

      MD5

      8ce9e623e44cdb2dbd292da43a90506f

      SHA1

      09c00d2c83c5456ae168b8329a63befacaef004e

      SHA256

      da1e65953f6cf5b06dc9c4e0f596d5c9997c2ec32aeb41e875816f10c74cb049

      SHA512

      792e0cb35c0d4dd87a5f21d9ea7b154139676497373717150bfb629669bc59c799f8f8bbdeb763eab696e0cb85e94744af4c77441eaa7a6283511ef0654331f3

      Download Submit

    • memory/1016-32-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-33-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-34-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-35-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-36-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-37-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-31-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-25-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-27-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1016-26-0x0000020329B30000-0x0000020329B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2976-10-0x000000001CC40000-0x000000001CC48000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2976-1-0x000000001BEB0000-0x000000001C37E000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/2976-13-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-14-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-15-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-11-0x000000001E6E0000-0x000000001EBF0000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2976-18-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-19-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-12-0x0000000001200000-0x000000000120C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2976-2-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-3-0x000000001B910000-0x000000001B9B6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/2976-4-0x000000001C440000-0x000000001C4A2000-memory.dmp

      Filesize

      392KB

      Download

    • memory/2976-5-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-0-0x00007FFFEC2E5000-0x00007FFFEC2E6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2976-9-0x000000001E130000-0x000000001E1CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2976-8-0x000000001C7A0000-0x000000001C7B4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2976-7-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2976-6-0x00007FFFEC2E5000-0x00007FFFEC2E6000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3712-24-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3712-23-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3712-22-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3712-20-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3712-21-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3712-38-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3712-40-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/3712-42-0x000000001D1A0000-0x000000001D1B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3712-43-0x000000001E5E0000-0x000000001E5F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3712-44-0x0000000001410000-0x0000000001430000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3712-45-0x0000000001390000-0x00000000013A4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/3712-52-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

      Filesize

      9.6MB

      Download