revengerat | 5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/03/2025, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
Size

3.3MB
MD5

91e122cb79dd06013a7e75568084064f
SHA1

cbfab72a68523fd4b1822a954dc1b06403f53e78
SHA256

5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d
SHA512

5b08e7e535e0cceb204748f6bdcb79963da562c37337a0964054baca927cf1593b89afe556d5e5427e0c511164428fcd554edde4513dc325cd10cd2b3c011dc2
SSDEEP

98304:voysTqyl3W1bI/JKN4+VrU/aCo59rMn1gOQxKl:v8w0IbTrMn1ykl

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00070000000164b4-23.dat	revengerat

Deletes itself 1 IoCs

pid	Process
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe

Executes dropped EXE 2 IoCs

pid	Process
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
3052	MHAutoPatch.exe

Loads dropped DLL 9 IoCs

pid	Process
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MHAutoPatch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
3052	MHAutoPatch.exe
3052	MHAutoPatch.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2556	1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	30
PID 1972 wrote to memory of 2556	1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	30
PID 1972 wrote to memory of 2556	1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	30
PID 1972 wrote to memory of 2556	1972	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	30
PID 2556 wrote to memory of 3052	2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	32
PID 2556 wrote to memory of 3052	2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	32
PID 2556 wrote to memory of 3052	2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	32
PID 2556 wrote to memory of 3052	2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	32
PID 2556 wrote to memory of 3052	2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	32
PID 2556 wrote to memory of 3052	2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	32
PID 2556 wrote to memory of 3052	2556	5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe	32

C:\Users\Admin\AppData\Local\Temp\5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
"C:\Users\Admin\AppData\Local\Temp\5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\MHAutoPatch[ÔÆ]\5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe
  "C:\Users\Admin\AppData\Roaming\MHAutoPatch[ÔÆ]\5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe" "C:\Users\Admin\AppData\Local\Temp\5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Users\Admin\AppData\Roaming\MHAutoPatch[ÔÆ]\MHAutoPatch.exe
    "C:\Users\Admin\AppData\Roaming\MHAutoPatch[ÔÆ]\MHAutoPatch.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MHAutoPatch[ÔÆ]\pro.nlp

Filesize
46B

MD5
a700a5bf8bbe07c11c6f6f2a25a62fc4

SHA1
846c3dd150135df9ddf2f976394a26e93d4dea29

SHA256
712209a921b3559cc01789442adec292c7042896cbdea5b0d62bcaaf1ffb80a7

SHA512
f7dbf1beae998915ab0703206e93ede9eb64f06204ff85d1f7e96523e1d01d39e6eccdeae9175f00c71fc684503809443f4806ca70d34ecb8fea3145567d08c9

Download Submit
C:\Users\Admin\AppData\Roaming\clinkm2.data

Filesize
4KB

MD5
faac19c47a545f9491388977acd49255

SHA1
42aaa495f497d1fac4652bbb3bcfc9b539fc59e6

SHA256
913fb7d542c707fccb2c6ca77eea673209c4b3f7bb4448bdfe164b904d69b610

SHA512
3df669b4de9322995bdb061f5eba08095b4c74ccf2790d2013afbb713f830210c7122646b20ad7ca1c9e8e3bd9de2be6dfcd90d21536497af44ea7af6546526c

Download Submit
\Users\Admin\AppData\Roaming\MHAutoPatch[ÔÆ]\5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d.exe

Filesize
3.3MB

MD5
91e122cb79dd06013a7e75568084064f

SHA1
cbfab72a68523fd4b1822a954dc1b06403f53e78

SHA256
5bc221262fd6c78654aa863daaba906b74afd8ce0dd0c524e4eda0535ae3871d

SHA512
5b08e7e535e0cceb204748f6bdcb79963da562c37337a0964054baca927cf1593b89afe556d5e5427e0c511164428fcd554edde4513dc325cd10cd2b3c011dc2

Download Submit
\Users\Admin\AppData\Roaming\MHAutoPatch[ÔÆ]\MHAutoPatch.exe

Filesize
215KB

MD5
d6ad72cd6a081e752c0f4d83f451f8fe

SHA1
9c33b7ae87fd2833e8e7f33ddb8f9d09c48b60f1

SHA256
f4e63091b957402bd6dcf9c6256e1b61d749f754a1b77f47f1b0868c46c82db0

SHA512
a8b43239de23cd10d2dac93b144dd9f925390d6280ec9d743487b88eaba145cb601077ab2f4497d92ed232e102d35d0b38c8837313492a18fa5ff4adbc6bcada

Download Submit