revengerat | 7a2b24e85d1ee137e9b96d8ca987cb90d2fc49f0f10906cde870bb0ee3a0bfed

Analysis

max time kernel
380s
max time network
393s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
14/03/2025, 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

24KB
MD5

a226efb28f312fe033e65bd6a69f6984
SHA1

f6b6ff14ef481d6790e0e2815a91f9504b003cd3
SHA256

7a2b24e85d1ee137e9b96d8ca987cb90d2fc49f0f10906cde870bb0ee3a0bfed
SHA512

8128fdf9c2900566b2f17c6e3719a600f5ac8878715c6d7694c4623ee873d783c38b45eb63c368b3aa4bab311fadf01d2bc7cb775ae7a295e9e2afdaa1d3aa4a
SSDEEP

384:eU0ZVrMYSvRPJnMHYaA1WNbIBj3GNgylu9MZxe1sbYp7v1yRiflGeCzYcHe+Z:eZV59E3CVu9DMitG/zYcHe+Z

Score

10^/10

revengerat test discovery stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

test

127.0.0.1:333

127.0.0.1:21

127.0.0.1:443

127.0.0.1:80

212.102.63.147:333

212.102.63.147:21

212.102.63.147:443

212.102.63.147:80

Mutex

RV_MUTEX-fawrHJfWfhaR

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000028234-27.dat	revengerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	vbc.exe

Executes dropped EXE 1 IoCs

pid	Process
5636	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5664 set thread context of 1044	5664	test.exe	82
PID 1044 set thread context of 3400	1044	RegSvcs.exe	83
PID 5636 set thread context of 5112	5636	svchost.exe	86
PID 5112 set thread context of 2944	5112	RegSvcs.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5664	test.exe
Token: SeDebugPrivilege	1044	RegSvcs.exe
Token: SeDebugPrivilege	5636	svchost.exe
Token: SeDebugPrivilege	5112	RegSvcs.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 5664 wrote to memory of 1044	5664	test.exe	82
PID 5664 wrote to memory of 1044	5664	test.exe	82
PID 5664 wrote to memory of 1044	5664	test.exe	82
PID 5664 wrote to memory of 1044	5664	test.exe	82
PID 5664 wrote to memory of 1044	5664	test.exe	82
PID 5664 wrote to memory of 1044	5664	test.exe	82
PID 5664 wrote to memory of 1044	5664	test.exe	82
PID 5664 wrote to memory of 1044	5664	test.exe	82
PID 1044 wrote to memory of 3400	1044	RegSvcs.exe	83
PID 1044 wrote to memory of 3400	1044	RegSvcs.exe	83
PID 1044 wrote to memory of 3400	1044	RegSvcs.exe	83
PID 1044 wrote to memory of 3400	1044	RegSvcs.exe	83
PID 1044 wrote to memory of 3400	1044	RegSvcs.exe	83
PID 1044 wrote to memory of 3400	1044	RegSvcs.exe	83
PID 1044 wrote to memory of 3400	1044	RegSvcs.exe	83
PID 1044 wrote to memory of 3400	1044	RegSvcs.exe	83
PID 1044 wrote to memory of 5636	1044	RegSvcs.exe	85
PID 1044 wrote to memory of 5636	1044	RegSvcs.exe	85
PID 5636 wrote to memory of 5112	5636	svchost.exe	86
PID 5636 wrote to memory of 5112	5636	svchost.exe	86
PID 5636 wrote to memory of 5112	5636	svchost.exe	86
PID 5636 wrote to memory of 5112	5636	svchost.exe	86
PID 5636 wrote to memory of 5112	5636	svchost.exe	86
PID 5636 wrote to memory of 5112	5636	svchost.exe	86
PID 5636 wrote to memory of 5112	5636	svchost.exe	86
PID 5636 wrote to memory of 5112	5636	svchost.exe	86
PID 5112 wrote to memory of 2944	5112	RegSvcs.exe	87
PID 5112 wrote to memory of 2944	5112	RegSvcs.exe	87
PID 5112 wrote to memory of 2944	5112	RegSvcs.exe	87
PID 5112 wrote to memory of 2944	5112	RegSvcs.exe	87
PID 5112 wrote to memory of 2944	5112	RegSvcs.exe	87
PID 5112 wrote to memory of 2944	5112	RegSvcs.exe	87
PID 5112 wrote to memory of 2944	5112	RegSvcs.exe	87
PID 5112 wrote to memory of 2944	5112	RegSvcs.exe	87
PID 5112 wrote to memory of 2888	5112	RegSvcs.exe	89
PID 5112 wrote to memory of 2888	5112	RegSvcs.exe	89
PID 5112 wrote to memory of 2888	5112	RegSvcs.exe	89
PID 2888 wrote to memory of 4504	2888	vbc.exe	91
PID 2888 wrote to memory of 4504	2888	vbc.exe	91
PID 2888 wrote to memory of 4504	2888	vbc.exe	91

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
- - C:\Users\Admin\Documents\svchost.exe
    "C:\Users\Admin\Documents\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5636
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l4rotipl\l4rotipl.cmdline"
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF17584E12BC140CBBD38AC9E6EEB5C0.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
142B

MD5
8c0458bb9ea02d50565175e38d577e35

SHA1
f0b50702cd6470f3c17d637908f83212fdbdb2f2

SHA256
c578e86db701b9afa3626e804cf434f9d32272ff59fb32fa9a51835e5a148b53

SHA512
804a47494d9a462ffa6f39759480700ecbe5a7f3a15ec3a6330176ed9c04695d2684bf6bf85ab86286d52e7b727436d0bb2e8da96e20d47740b5ce3f856b5d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D4A.tmp

Filesize
1KB

MD5
b4a7475fe6d48bfd90703f03207315cb

SHA1
4182c4093d641c8e3e6fc0e81b9416d219b7b007

SHA256
c57515dc5e2801a20e9594a9ef91dbc9d42f92fd22a33e34b427fd19680fac22

SHA512
084491db94a5fcb7fe4dc897aece3d03e5a48f0dbf06ecab5addf80e3fad07670a03379cd59b7c666ab803725707f19f8329ba8d0b4e6fa62cc0182aa34fcb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRvZwfRt.txt

Filesize
42B

MD5
faacfa4444c38959d1033137e5a1ffa4

SHA1
b60ed17fbbd52024aae6714bd337b12dc2502e50

SHA256
ae0d5ffde1564441649a4485564b80e2a4a126456c4a9b439c07005656dd26a6

SHA512
eae70ace61807142ff649ebb7b34b13913804ce01ec3fb1b3181ad1a690bb1608d898300c97cf2e5c9737a8e60efaf6e155c0f3221ebd084339d0579827ccb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRvZwfRt.txt

Filesize
36B

MD5
2d6c2c98cb26720e2a0c9687e216cbf1

SHA1
1dfe5b2224dd8677c55de396f39335d2183ed03e

SHA256
a5c28e056ed7468655e12671f4d1e2019a21540ce6a288b71aae76d3ba1483a9

SHA512
69ea72bbbe4671aec69b03ca2c6a5c7ab04b1f8b8d5b3b45788eb57b9017914f7e4e08643cd6c7b42bfefa61c4e3a3e8dd7842f584dec3f023dfe543885e1bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4rotipl\l4rotipl.0.vb

Filesize
146B

MD5
1f070991328cbe8d184a5322cb39e7e9

SHA1
f0aa9028828ab5e4a44b260235cfa7a462fcc454

SHA256
b5b8a92ad699a67e1d607b8a553541933261fb3ef36ab85328af5e3907a4d0c5

SHA512
caa96c9f42aa1ec9f17199fbd5b16edd5f3df97847482add6dd949a30fb775ef2b53cf49f755406d912e3b392af28bcc7961271b50220eee2558cd2442d8cd37

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4rotipl\l4rotipl.cmdline

Filesize
204B

MD5
ac4124352b5a8c9e758cf548bc753509

SHA1
7079dbef4e5a67355b4cba6480cf51971f0f24e6

SHA256
35b27f45a45de2506574d1d7bdf34e2a570565c152886906fab772bc07c56307

SHA512
c0fb486505cbbd897374160a6e36bd384d220ec03a3ce0672a87e50211b039f7b91df28f8419783115ddb4b664a6d0856012c41478efb42809cda78fda398856

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF17584E12BC140CBBD38AC9E6EEB5C0.TMP

Filesize
1KB

MD5
b10290e193d94a5e3c95660f0626a397

SHA1
7b9de1fd7a43f6f506e5fc3426836b8c52d0d711

SHA256
75c9e1766bfb99754b6a00d37ef93488ab216b5ac48984ed7d9d2076a7056fd2

SHA512
6ae4201552a499eaa726416b29230f48d94ac7f40ff038165bf8582626bbefe601ef6c051ad97d9156dc4b9b55fd22081db61bcd013916136340c5f1324e4bb5

Download Submit
C:\Users\Admin\Documents\svchost.exe

Filesize
24KB

MD5
a226efb28f312fe033e65bd6a69f6984

SHA1
f6b6ff14ef481d6790e0e2815a91f9504b003cd3

SHA256
7a2b24e85d1ee137e9b96d8ca987cb90d2fc49f0f10906cde870bb0ee3a0bfed

SHA512
8128fdf9c2900566b2f17c6e3719a600f5ac8878715c6d7694c4623ee873d783c38b45eb63c368b3aa4bab311fadf01d2bc7cb775ae7a295e9e2afdaa1d3aa4a

Download Submit
memory/1044-19-0x0000000074A00000-0x00000000751B1000-memory.dmp

Filesize
7.7MB

Download
memory/1044-11-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/1044-12-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1044-13-0x0000000004B60000-0x0000000004BFC000-memory.dmp

Filesize
624KB

Download
memory/1044-14-0x00000000051B0000-0x0000000005756000-memory.dmp

Filesize
5.6MB

Download
memory/1044-15-0x0000000004C00000-0x0000000004C66000-memory.dmp

Filesize
408KB

Download
memory/1044-16-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/1044-29-0x0000000074A00000-0x00000000751B1000-memory.dmp

Filesize
7.7MB

Download
memory/1044-26-0x0000000074A00000-0x00000000751B1000-memory.dmp

Filesize
7.7MB

Download
memory/2944-34-0x00000000011C0000-0x00000000011E1000-memory.dmp

Filesize
132KB

Download
memory/3400-21-0x00000000049F0000-0x0000000004A2C000-memory.dmp

Filesize
240KB

Download
memory/3400-22-0x00000000049B0000-0x00000000049D1000-memory.dmp

Filesize
132KB

Download
memory/3400-20-0x0000000000610000-0x000000000061E000-memory.dmp

Filesize
56KB

Download
memory/3400-25-0x0000000074A00000-0x00000000751B1000-memory.dmp

Filesize
7.7MB

Download
memory/3400-23-0x0000000074A00000-0x00000000751B1000-memory.dmp

Filesize
7.7MB

Download
memory/5664-0-0x00007FFF62C75000-0x00007FFF62C76000-memory.dmp

Filesize
4KB

Download
memory/5664-6-0x00007FFF62C75000-0x00007FFF62C76000-memory.dmp

Filesize
4KB

Download
memory/5664-7-0x00007FFF629C0000-0x00007FFF63361000-memory.dmp

Filesize
9.6MB

Download
memory/5664-5-0x000000001C150000-0x000000001C1B2000-memory.dmp

Filesize
392KB

Download
memory/5664-10-0x00007FFF629C0000-0x00007FFF63361000-memory.dmp

Filesize
9.6MB

Download
memory/5664-4-0x00007FFF629C0000-0x00007FFF63361000-memory.dmp

Filesize
9.6MB

Download
memory/5664-2-0x00007FFF629C0000-0x00007FFF63361000-memory.dmp

Filesize
9.6MB

Download
memory/5664-3-0x000000001B5C0000-0x000000001B666000-memory.dmp

Filesize
664KB

Download
memory/5664-1-0x000000001BBC0000-0x000000001C08E000-memory.dmp

Filesize
4.8MB

Download