Malware Analysis Report

2025-04-14 05:10

Sample ID 250107-w7tabavmhq
Target Revenge.exe
SHA256 da1e65953f6cf5b06dc9c4e0f596d5c9997c2ec32aeb41e875816f10c74cb049
Tags
stealer guest revengerat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da1e65953f6cf5b06dc9c4e0f596d5c9997c2ec32aeb41e875816f10c74cb049

Threat Level: Known bad

The file Revenge.exe was found to be: Known bad.

Malicious Activity Summary

stealer guest revengerat trojan

RevengeRAT

RevengeRat Executable

Revengerat family

RevengeRat Executable

Drops startup file

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-07 18:34

Signatures

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Revengerat family

revengerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-07 18:34

Reported

2025-01-07 18:39

Platform

win10ltsc2021-20241211-en

Max time kernel

219s

Max time network

220s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Revenge.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation C:\Windows\system32\algorhitm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Revenge.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\algorhitm.exe C:\Windows\system32\algorhitm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\algorhitm.vbs C:\Windows\system32\algorhitm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\algorhitm.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\algorhitm.exe C:\Windows\system32\algorhitm.exe N/A
File created C:\Windows\system32\algorhitm.exe C:\Users\Admin\AppData\Local\Temp\Revenge.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\Taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\algorhitm.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Users\Admin\AppData\Local\Temp\Revenge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Revenge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 C:\Windows\system32\algorhitm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Revenge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\algorhitm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: 33 N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Revenge.exe

"C:\Users\Admin\AppData\Local\Temp\Revenge.exe"

C:\Windows\system32\algorhitm.exe

"C:\Windows\system32\algorhitm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 1588

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 necatisoff-36486.portmap.host udp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp
DE 193.161.193.99:36486 necatisoff-36486.portmap.host tcp

Files

memory/2976-0-0x00007FFFEC2E5000-0x00007FFFEC2E6000-memory.dmp

memory/2976-1-0x000000001BEB0000-0x000000001C37E000-memory.dmp

memory/2976-2-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/2976-3-0x000000001B910000-0x000000001B9B6000-memory.dmp

memory/2976-4-0x000000001C440000-0x000000001C4A2000-memory.dmp

memory/2976-5-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/2976-6-0x00007FFFEC2E5000-0x00007FFFEC2E6000-memory.dmp

memory/2976-7-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/2976-8-0x000000001C7A0000-0x000000001C7B4000-memory.dmp

memory/2976-9-0x000000001E130000-0x000000001E1CC000-memory.dmp

memory/2976-10-0x000000001CC40000-0x000000001CC48000-memory.dmp

memory/2976-11-0x000000001E6E0000-0x000000001EBF0000-memory.dmp

memory/2976-12-0x0000000001200000-0x000000000120C000-memory.dmp

memory/2976-13-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/2976-14-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/2976-15-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

C:\Windows\System32\algorhitm.exe

MD5 8ce9e623e44cdb2dbd292da43a90506f
SHA1 09c00d2c83c5456ae168b8329a63befacaef004e
SHA256 da1e65953f6cf5b06dc9c4e0f596d5c9997c2ec32aeb41e875816f10c74cb049
SHA512 792e0cb35c0d4dd87a5f21d9ea7b154139676497373717150bfb629669bc59c799f8f8bbdeb763eab696e0cb85e94744af4c77441eaa7a6283511ef0654331f3

memory/2976-18-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/2976-19-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/3712-21-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/3712-20-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/3712-22-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/3712-23-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/3712-24-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/1016-26-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-27-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-25-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-31-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-37-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-36-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-35-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-34-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-33-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/1016-32-0x0000020329B30000-0x0000020329B31000-memory.dmp

memory/3712-38-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/3712-40-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp

memory/3712-42-0x000000001D1A0000-0x000000001D1B2000-memory.dmp

memory/3712-43-0x000000001E5E0000-0x000000001E5F8000-memory.dmp

memory/3712-44-0x0000000001410000-0x0000000001430000-memory.dmp

memory/3712-45-0x0000000001390000-0x00000000013A4000-memory.dmp

memory/3712-52-0x00007FFFEC030000-0x00007FFFEC9D1000-memory.dmp