revengerat | c516c1a413288af6311756bf33692d514d811e9d7dbbc7d873065f8bae6f32bb

General

Target

Claws.exe
Size

169KB
MD5

7722c519958c86885ca19a7d9940b9c8
SHA1

bb0c80aa03b1b9f3675f0a827a35f54d73b83a15
SHA256

c516c1a413288af6311756bf33692d514d811e9d7dbbc7d873065f8bae6f32bb
SHA512

c0591c7f8682a643a5d41d3add9464a2bac2bc86b70b8b67613cb20f7f40d607deb64e9bf823c9cf4991547ff42c6f1279e548b54dbab954bad24cdc9b65006b
SSDEEP

3072:YLb2/QzfuruwSg1YyRyaAlYLC1ERXEqYPhVdU9HOcLkl+KUS:5M2OWYGyLlYW2uKBOcAUS

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00070000000242bc-22.dat	revengerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Claws.exe

Executes dropped EXE 2 IoCs

pid	Process
4812	1.exe
772	2.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Command.EXE	Claws.exe
File opened for modification	C:\Windows\SysWOW64\Command.EXE	Claws.exe
File created	C:\Windows\SysWOW64\2.exe	Claws.exe
File created	C:\Windows\SysWOW64\system.EXE	Claws.exe
File opened for modification	C:\Windows\SysWOW64\system.EXE	Claws.exe
File created	C:\Windows\SysWOW64\1.exe	Claws.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 772 set thread context of 1852	772	2.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3176	1852	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Claws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	2.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5580 wrote to memory of 4812	5580	Claws.exe	86
PID 5580 wrote to memory of 4812	5580	Claws.exe	86
PID 5580 wrote to memory of 772	5580	Claws.exe	87
PID 5580 wrote to memory of 772	5580	Claws.exe	87
PID 5580 wrote to memory of 772	5580	Claws.exe	87
PID 772 wrote to memory of 1852	772	2.exe	88
PID 772 wrote to memory of 1852	772	2.exe	88
PID 772 wrote to memory of 1852	772	2.exe	88
PID 772 wrote to memory of 1852	772	2.exe	88
PID 772 wrote to memory of 1852	772	2.exe	88
PID 772 wrote to memory of 1852	772	2.exe	88
PID 772 wrote to memory of 1852	772	2.exe	88
PID 772 wrote to memory of 1852	772	2.exe	88
PID 772 wrote to memory of 1852	772	2.exe	88

C:\Users\Admin\AppData\Local\Temp\Claws.exe
"C:\Users\Admin\AppData\Local\Temp\Claws.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5580
- C:\Windows\SysWOW64\1.exe
  "C:\Windows\system32\1.exe"
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\SysWOW64\2.exe
  "C:\Windows\system32\2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 200
      4⤵
      Program crash
      PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1852 -ip 1852
1⤵
PID:4476

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1.exe

Filesize
22KB

MD5
c217657dadbab82ae4f216299d9f63c0

SHA1
c12c42347c68182e15607bc4d44c4db9964c4e70

SHA256
c8b5dfcd40662c3d92b0bf12e6ba7fe8417a6438b84ff33fe7d4e486133c9d22

SHA512
7b9dc181c3a2da958a45066549ba13d89eb1997f94ac3a4b9bf015249bce4e5d59e683e0dc732a161e6e391f50a16554072a51a794cfc0fc55136d8ee2e95599

Download Submit
C:\Windows\SysWOW64\2.exe

Filesize
143KB

MD5
ed45d84cc5d0fafd5dd6372976462a5d

SHA1
6bf44c21677f1e9616300e93e3d62c18d85f811e

SHA256
efae476d241067b3ebc77f3b6c7e65c5b6c0dc1b956a8b460cd830123fdad3a0

SHA512
52d16f9378f62eada0f500ddad1fd321f0c3badaefa86f5b00a9fd222f99b8e642f3659587038dbe490f25e9fbd90890a33120fe0e6a6d9a0eef8c1823de72c7

Download Submit
memory/772-49-0x0000000073740000-0x0000000073CF1000-memory.dmp

Filesize
5.7MB

Download
memory/772-27-0x0000000073742000-0x0000000073743000-memory.dmp

Filesize
4KB

Download
memory/772-43-0x0000000073740000-0x0000000073CF1000-memory.dmp

Filesize
5.7MB

Download
memory/772-42-0x0000000073742000-0x0000000073744000-memory.dmp

Filesize
8KB

Download
memory/1852-40-0x00000000007B0000-0x00000000007DC000-memory.dmp

Filesize
176KB

Download
memory/1852-37-0x00000000007B0000-0x00000000007DC000-memory.dmp

Filesize
176KB

Download
memory/1852-34-0x00000000007B0000-0x00000000007DC000-memory.dmp

Filesize
176KB

Download
memory/4812-28-0x00007FF911045000-0x00007FF911046000-memory.dmp

Filesize
4KB

Download
memory/4812-31-0x000000001C2F0000-0x000000001C396000-memory.dmp

Filesize
664KB

Download
memory/4812-41-0x00007FF910D90000-0x00007FF911731000-memory.dmp

Filesize
9.6MB

Download
memory/4812-30-0x000000001BB20000-0x000000001BFEE000-memory.dmp

Filesize
4.8MB

Download
memory/4812-29-0x00007FF910D90000-0x00007FF911731000-memory.dmp

Filesize
9.6MB

Download
memory/4812-44-0x000000001CD10000-0x000000001CDAC000-memory.dmp

Filesize
624KB

Download
memory/4812-45-0x0000000000DC0000-0x0000000000DC8000-memory.dmp

Filesize
32KB

Download
memory/4812-46-0x00007FF911045000-0x00007FF911046000-memory.dmp

Filesize
4KB

Download
memory/4812-47-0x00007FF910D90000-0x00007FF911731000-memory.dmp

Filesize
9.6MB

Download
memory/4812-48-0x00007FF910D90000-0x00007FF911731000-memory.dmp

Filesize
9.6MB

Download
memory/5580-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5580-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing