revengerat | 5069f377047dcab276edcf1a759208fcd6723b11dc41a77b0e4ca273a976f699 | Triage

Submit
Reports

Overview

overview

Static

static

3

Settings.exe

windows10-2004-x64

Sharing

General

Target

Settings.exe
Size

575KB
Sample

250404-1bmj4svvet
MD5

f6b9a7b049f67e96f3440598b133bfe6
SHA1

968116843fe315d8786070a9745c14b5039d415c
SHA256

5069f377047dcab276edcf1a759208fcd6723b11dc41a77b0e4ca273a976f699
SHA512

235a8b11c6c3274da2cb660e6e6592588779682e82708ba15a8ab71b6ed4df259a9f0f746474d42a0cbb040fe5eb39276d006cb63fbdd51f13d15c64956f46ba
SSDEEP

12288:d++zuhAfzEhSFYBSYiMpPU/anILVap192ti/Ajt:nmvhSWNiMVbMaotr

Score

10^/10

revengerat umbral xworm execution rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Settings.exe

Resource

win10v2004-20250314-en

revengerat umbral xworm execution rat stealer trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

umbral

C2

https://discordapp.com/api/webhooks/1357765742434717747/kDbvfLYHBAGDInmRBSFI2ybqxiaeMAp3iQtloLjdcA7NcBJ1xBLrGexQcyKSOZNwvdMD

Targets

- Target
  
  Settings.exe
- Size
  
  575KB
- MD5
  
  f6b9a7b049f67e96f3440598b133bfe6
- SHA1
  
  968116843fe315d8786070a9745c14b5039d415c
- SHA256
  
  5069f377047dcab276edcf1a759208fcd6723b11dc41a77b0e4ca273a976f699
- SHA512
  
  235a8b11c6c3274da2cb660e6e6592588779682e82708ba15a8ab71b6ed4df259a9f0f746474d42a0cbb040fe5eb39276d006cb63fbdd51f13d15c64956f46ba
- SSDEEP
  
  12288:d++zuhAfzEhSFYBSYiMpPU/anILVap192ti/Ajt:nmvhSWNiMVbMaotr
Score

10^/10

revengerat umbral xworm execution rat stealer trojan
- Detect Umbral payload
- Detect Xworm Payload
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- RevengeRat Executable
  stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

revengeratumbralxwormexecutionratstealertrojan

© 2018-2025

Terms | Privacy