revengerat | 179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
Size

220KB
MD5

8b1eff957cbbabe0de8eadb89c03bd33
SHA1

2ec99b5ee61b9c2ef59a140feabcc2e3dd8d10f7
SHA256

179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff
SHA512

ff5289179084d146cd0b99c04942ffe10d8d44daca33244b3b0aecc216e0e3dfa78f9abc52d1c50e357d65afaa35fe7162bbce218587e9dbac855ab5c8d3fc54
SSDEEP

3072:ljshpXXFMFcU+AdU8fhiSQog87VHy3F69PuqnN1f:tsXFtAvcmgqHwF60S

Score

10^/10

revengerat guest discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

dnstext.publicvm.com:112

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/2276-22-0x0000000005A70000-0x0000000005A78000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
4024	Client.exe
4024	Client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
Token: SeDebugPrivilege	4024	Client.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 976	2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	83
PID 2276 wrote to memory of 976	2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	83
PID 2276 wrote to memory of 976	2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	83
PID 976 wrote to memory of 1544	976	csc.exe	85
PID 976 wrote to memory of 1544	976	csc.exe	85
PID 976 wrote to memory of 1544	976	csc.exe	85
PID 2276 wrote to memory of 4024	2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	102
PID 2276 wrote to memory of 4024	2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	102
PID 2276 wrote to memory of 4024	2276	JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe	102
PID 4024 wrote to memory of 5100	4024	Client.exe	103
PID 4024 wrote to memory of 5100	4024	Client.exe	103
PID 4024 wrote to memory of 5100	4024	Client.exe	103
PID 5100 wrote to memory of 692	5100	csc.exe	105
PID 5100 wrote to memory of 692	5100	csc.exe	105
PID 5100 wrote to memory of 692	5100	csc.exe	105

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b1eff957cbbabe0de8eadb89c03bd33.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7705.tmp" "c:\Users\Admin\AppData\Local\Temp\4cc05qsb\CSCDB9CC01771BB43749581319582BC317C.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1544
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ei4lutjr\ei4lutjr.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72F.tmp" "c:\Users\Admin\AppData\Local\Temp\ei4lutjr\CSC6F4C49CEB084A1FA836CC283B84C3A.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.dll

Filesize
7KB

MD5
7e8ed8ff75b1b205df3947f825184543

SHA1
9790bd6538652be3bba039e6e7be0ffd1e96fe34

SHA256
f69fde4b8ad4e95f4cb2b823b916bbe25c2a705bbcd45105ecb712d30fda2c4f

SHA512
56690ee15a4f38828baa2162c2d1c1f93fb6751b3abaec5557ec9ade2848044d06ffe05f0535c671863bbbc9570575d3d660e355f8ebdeaec543336e9def5dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.pdb

Filesize
23KB

MD5
c5ce755b0df3669fdd94bc15d9b28110

SHA1
13813dde1113df04196178f8994d0fb2b4f05835

SHA256
a153665b1e92ec96e074f7bf2af7f52eb631c2d8ecc37178bf12805a7e7a352c

SHA512
750cc52c08b3833d704766afd71d9df868a50e3a372574e898fa00666ba632eddcc3600bfbffeb364c1e23f8e862057685b0f6b161b8451b80a919d424394f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES72F.tmp

Filesize
1KB

MD5
2ad83426add832240a871352c7611148

SHA1
2d3b1a4d314a90494b19e0729d39a94ba871899c

SHA256
3f4fea4fb07ec56dd35def50d07fdcd7653ef3aab5e377491a456efb052a11ff

SHA512
32179e02e87b450d6babed0bb2964ff2043ecbdf1c5ff8b5141f2a815745fab861d690c787c60b1e3fa300ef30d6505750cb9cb48463090697b9188795213d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7705.tmp

Filesize
1KB

MD5
8ea9b700c6cd34c0791e222c75caa073

SHA1
3ae5c5fb0c57472d2a04274ea316df81ffef2bbd

SHA256
062d11aabfdbd1fc117c6d485d245a24459b8e8a0089834ea942e37ab8372efb

SHA512
857bc877d64d0797f1fab282dd9ce71bd1406db8d2a780791222c73c08d5e30449982825b5539f0ec96e7e2825834ef5fda2cbab9f2628ccbecb8c93587be036

Download Submit
C:\Users\Admin\AppData\Local\Temp\ei4lutjr\ei4lutjr.dll

Filesize
7KB

MD5
491f42bbb112313b7bfa7c26a955d4bf

SHA1
d6e030bfbf5757e0ec3c150c6542ed2acf5ea44a

SHA256
108c698c49eae97a83d006d8a83731736fbeda040e17cc60814d8d56d0d5ff7f

SHA512
590ee49226c20802f8ba2004d7f7d5abb54e64a2f99e5b84b9828145cbed95c567d4d042b4beb7f6f54d3261f5a4e625767f5b6c4dc57bb8637c8915cce68102

Download Submit
C:\Users\Admin\AppData\Local\Temp\ei4lutjr\ei4lutjr.pdb

Filesize
23KB

MD5
f57589eaaf644bf0843292ff6af07ac1

SHA1
43586aff971c90ce0abb9e043d8a8e3d3bb12d9c

SHA256
ddc6e27823c6afe4e4836e6e857e0dee221cf9f806c9b0715e5c2457925a6ada

SHA512
2b7a7c71766572263f2060dc77b2c7629eea6b73dba059dbb000db06690333cbd76810e60f2169c738260c2e8fe92942bc2c47353294395e945e4e613f757b0f

Download Submit
C:\Users\Admin\AppData\Roaming\Client.exe

Filesize
220KB

MD5
8b1eff957cbbabe0de8eadb89c03bd33

SHA1
2ec99b5ee61b9c2ef59a140feabcc2e3dd8d10f7

SHA256
179d2a85a10ac57bbbed4ea5cb3b48c407d6f2a701c993d0b8b449f43f140aff

SHA512
ff5289179084d146cd0b99c04942ffe10d8d44daca33244b3b0aecc216e0e3dfa78f9abc52d1c50e357d65afaa35fe7162bbce218587e9dbac855ab5c8d3fc54

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.0.cs

Filesize
5KB

MD5
4949667438d5392543cfdd46006a2f06

SHA1
7ad3f3b16fce93fd4e56f24f13610e9761a48eb0

SHA256
03626e616391cac1bf69f60da6dd99ec1ee697a58e428ab69d27a22afad62ea3

SHA512
0967e449f9f2c4015d8da02b7b6aadfe7f6af9ea2140c4c3f6f3efaa7d5cfb449bce819e41093727a90743c1a8d7d6b3c67f30ecc3aa9a28fb02d3dd34c08c68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4cc05qsb\4cc05qsb.cmdline

Filesize
312B

MD5
495443d56147d70a3f4b5c61a05d3b39

SHA1
2433809c5d5e987e9d7c9cf1f81e50c6aa7e3f8b

SHA256
b4e31977af1d11f37795dde49e535eb0a878924ef68af68c433a1d6f00a90d3e

SHA512
f4b20a230d500373f89269c755d43bea24ada95ca8033e4523280778ff7fdf307d6d381218568ea65b87f36bfe29fd180112e24a2d9b65e05f7f63db5a4de75c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4cc05qsb\CSCDB9CC01771BB43749581319582BC317C.TMP

Filesize
1KB

MD5
6a10d83d3b10587686446c76ef85202b

SHA1
27fdee6f4dc328320fe79be72a097a0773267b8e

SHA256
716f6f7f5c13fbb161698437681a7b4702822f431376a275a2cee0ae3cb95633

SHA512
bcf11a5613c2eaf89567ca449cbf8502cc41eed087aee98c24fe9be21ea751babf6a394bf8f4ddec2d2305bd16d4bf39b28cb38380c4b80f0d7969d4b2d50f6f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ei4lutjr\CSC6F4C49CEB084A1FA836CC283B84C3A.TMP

Filesize
1KB

MD5
2e6cfedde23ff0433223bd990baaf3b6

SHA1
a4c31934161499ee6425c528124b85d26058fe02

SHA256
62d017e4e15b58ce6752f1b6ef831ddc25b0210c1b0c6614e41814aac0f3ae21

SHA512
7cdd1c52d79c0008d74dc739760c3f98b314a81e8c380092f2154a338d4687dbfa2fd47619eac7b3bba11e82bd07ada6c5b7141d7c1bb69293711f0dbbb5fad9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ei4lutjr\ei4lutjr.cmdline

Filesize
312B

MD5
48ddc90704e90f0a4335ca4693c5ea53

SHA1
719945213c449093f0cabdc21379046e7de2e1fd

SHA256
0875cf74956c90631a4347cab09c4cedbc7f3982cd390d13f1d1d50ff7facbe7

SHA512
d4964e467c6ba192885a80ef412ad81b1ad0e2cdc69a81f0047e458e616d9f7028e164c909844bc939f748df3ad898ab5e262a7fdd33ea94c845a9a247594027

Download Submit
memory/2276-23-0x0000000005D40000-0x0000000005DDC000-memory.dmp

Filesize
624KB

Download
memory/2276-17-0x0000000001A80000-0x0000000001A88000-memory.dmp

Filesize
32KB

Download
memory/2276-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download
memory/2276-24-0x0000000006490000-0x0000000006A34000-memory.dmp

Filesize
5.6MB

Download
memory/2276-25-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/2276-26-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download
memory/2276-27-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2276-20-0x0000000005880000-0x0000000005894000-memory.dmp

Filesize
80KB

Download
memory/2276-43-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2276-1-0x0000000000FB0000-0x0000000000FEE000-memory.dmp

Filesize
248KB

Download
memory/2276-5-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/2276-21-0x0000000005A50000-0x0000000005A5C000-memory.dmp

Filesize
48KB

Download
memory/2276-19-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/2276-22-0x0000000005A70000-0x0000000005A78000-memory.dmp

Filesize
32KB

Download
memory/4024-57-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/4024-44-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/4024-45-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/4024-59-0x00000000049B0000-0x00000000049C4000-memory.dmp

Filesize
80KB

Download
memory/4024-60-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download