revengerat | 496416a57a82d62211df726f36aa1b95a58e1f4feb5cc17081da50347bd0e676

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe
Size

51KB
MD5

09a31892d9e6bbab75d2872dafe87842
SHA1

73e703eaf21da47e7b82966cf4c9d2c8a00a1a8e
SHA256

496416a57a82d62211df726f36aa1b95a58e1f4feb5cc17081da50347bd0e676
SHA512

f38f6b09d0419678460484d8feebe6f2c4f598acff8e26de3440541660b2f8ca9c774913bb22767f99e02d2fbe1d1e121c291b8a3eb8a752811afeb89b65ebe1
SSDEEP

1536:Emc8myTtjMyp8TOhCXD7oLdozUPGTpl2T:i8mAJCXDQ6TDc

Score

10^/10

revengerat trampo stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Trampo

queda2122.ddns.net:333

Mutex

RV_MUTEX-JwUnoWrUUgHRHX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
RevengeRat Executable 1 IoCs
stealer

Processes:

resource yara_rule

behavioral1/memory/1796-1-0x0000000000300000-0x000000000030A000-memory.dmp revengerat
Drops startup file 1 IoCs

Processes:

MSBuild.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\operador.lnk MSBuild.exe
Executes dropped EXE 1 IoCs

Processes:

operador.exe

pid process

1412 operador.exe
Loads dropped DLL 2 IoCs

Processes:

MSBuild.exeMSBuild.exe

pid process

2600 MSBuild.exe
2720 MSBuild.exe

resource	yara_rule
behavioral1/memory/1796-1-0x0000000000300000-0x000000000030A000-memory.dmp	revengerat

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\operador.lnk	MSBuild.exe

pid	process
1412	operador.exe

pid	process
2600	MSBuild.exe
2720	MSBuild.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exeMSBuild.exeoperador.exeMSBuild.exe

description	pid	process	target process
PID 1796 set thread context of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 2600 set thread context of 2464	2600	MSBuild.exe	MSBuild.exe
PID 1412 set thread context of 2720	1412	operador.exe	MSBuild.exe
PID 2720 set thread context of 2072	2720	MSBuild.exe	MSBuild.exe

Gathers network information 2 TTPs 8 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

1268 ipconfig.exe
1220 ipconfig.exe
3048 ipconfig.exe
2284 ipconfig.exe
1968 ipconfig.exe
1784 ipconfig.exe
844 ipconfig.exe
2124 ipconfig.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2792 PING.EXE
1668 PING.EXE
2120 PING.EXE
3004 PING.EXE

pid	process
1268	ipconfig.exe
1220	ipconfig.exe
3048	ipconfig.exe
2284	ipconfig.exe
1968	ipconfig.exe
1784	ipconfig.exe
844	ipconfig.exe
2124	ipconfig.exe

pid	process
2792	PING.EXE
1668	PING.EXE
2120	PING.EXE
3004	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exeMSBuild.exeoperador.exeMSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe
Token: SeDebugPrivilege	2600	MSBuild.exe
Token: SeDebugPrivilege	1412	operador.exe
Token: SeDebugPrivilege	2720	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.execmd.exeMSBuild.execmd.exeoperador.execmd.exeMSBuild.exe

description	pid	process	target process
PID 1796 wrote to memory of 3028	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	cmd.exe
PID 1796 wrote to memory of 3028	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	cmd.exe
PID 1796 wrote to memory of 3028	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	cmd.exe
PID 3028 wrote to memory of 3048	3028	cmd.exe	ipconfig.exe
PID 3028 wrote to memory of 3048	3028	cmd.exe	ipconfig.exe
PID 3028 wrote to memory of 3048	3028	cmd.exe	ipconfig.exe
PID 3028 wrote to memory of 3004	3028	cmd.exe	PING.EXE
PID 3028 wrote to memory of 3004	3028	cmd.exe	PING.EXE
PID 3028 wrote to memory of 3004	3028	cmd.exe	PING.EXE
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 1796 wrote to memory of 2600	1796	09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe	MSBuild.exe
PID 2600 wrote to memory of 3040	2600	MSBuild.exe	cmd.exe
PID 2600 wrote to memory of 3040	2600	MSBuild.exe	cmd.exe
PID 2600 wrote to memory of 3040	2600	MSBuild.exe	cmd.exe
PID 2600 wrote to memory of 3040	2600	MSBuild.exe	cmd.exe
PID 3040 wrote to memory of 2284	3040	cmd.exe	ipconfig.exe
PID 3040 wrote to memory of 2284	3040	cmd.exe	ipconfig.exe
PID 3040 wrote to memory of 2284	3040	cmd.exe	ipconfig.exe
PID 3040 wrote to memory of 2284	3040	cmd.exe	ipconfig.exe
PID 3040 wrote to memory of 2792	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2792	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2792	3040	cmd.exe	PING.EXE
PID 3040 wrote to memory of 2792	3040	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 2464	2600	MSBuild.exe	MSBuild.exe
PID 2600 wrote to memory of 1412	2600	MSBuild.exe	operador.exe
PID 2600 wrote to memory of 1412	2600	MSBuild.exe	operador.exe
PID 2600 wrote to memory of 1412	2600	MSBuild.exe	operador.exe
PID 2600 wrote to memory of 1412	2600	MSBuild.exe	operador.exe
PID 1412 wrote to memory of 2192	1412	operador.exe	cmd.exe
PID 1412 wrote to memory of 2192	1412	operador.exe	cmd.exe
PID 1412 wrote to memory of 2192	1412	operador.exe	cmd.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 1412 wrote to memory of 2720	1412	operador.exe	MSBuild.exe
PID 2192 wrote to memory of 1968	2192	cmd.exe	ipconfig.exe
PID 2192 wrote to memory of 1968	2192	cmd.exe	ipconfig.exe
PID 2192 wrote to memory of 1968	2192	cmd.exe	ipconfig.exe
PID 2192 wrote to memory of 1668	2192	cmd.exe	PING.EXE
PID 2192 wrote to memory of 1668	2192	cmd.exe	PING.EXE
PID 2192 wrote to memory of 1668	2192	cmd.exe	PING.EXE
PID 2720 wrote to memory of 920	2720	MSBuild.exe	cmd.exe
PID 2720 wrote to memory of 920	2720	MSBuild.exe	cmd.exe
PID 2720 wrote to memory of 920	2720	MSBuild.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\09a31892d9e6bbab75d2872dafe87842_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\cmd.exe
cmd /c ipconfig/release & ping -n 60 127.0.0.1 & ipconfig/renew & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:3048

C:\Windows\system32\PING.EXE
ping -n 60 127.0.0.1
3⤵
- Runs ping.exe
PID:3004

C:\Windows\system32\ipconfig.exe
ipconfig /renew
3⤵
- Gathers network information
PID:844

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig/release & ping -n 60 127.0.0.1 & ipconfig/renew & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:2284

C:\Windows\SysWOW64\PING.EXE
ping -n 60 127.0.0.1
4⤵
- Runs ping.exe
PID:2792

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
4⤵
- Gathers network information
PID:2124

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
3⤵
PID:2464

C:\Users\Admin\Documents\operador.exe
"C:\Users\Admin\Documents\operador.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\system32\cmd.exe
cmd /c ipconfig/release & ping -n 60 127.0.0.1 & ipconfig/renew & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:1968

C:\Windows\system32\PING.EXE
ping -n 60 127.0.0.1
5⤵
- Runs ping.exe
PID:1668

C:\Windows\system32\ipconfig.exe
ipconfig /renew
5⤵
- Gathers network information
PID:1268

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig/release & ping -n 60 127.0.0.1 & ipconfig/renew & exit
5⤵
PID:920

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
6⤵
- Gathers network information
PID:1784

C:\Windows\SysWOW64\PING.EXE
ping -n 60 127.0.0.1
6⤵
- Runs ping.exe
PID:2120

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
6⤵
- Gathers network information
PID:1220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
5⤵
PID:2072

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BawrHJf.txt
Filesize
84B

MD5
711978b7270409971bb05bf761d45e42

SHA1
fef984b5d347a691fe9802630250e77944eba10b

SHA256
783a6ae6c4746340a36b846f647582bae2529bf31d04ac76968dae82c722bb90

SHA512
bc74be3c971a3e05b3115685f021c56cb2d7b014d2c7db5f2f0f63df99abcea20885a844c8e34143851c7b45b8bc2c2104f827a1295d423f3c8f07f53be57ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BawrHJf.txt
Filesize
37B

MD5
eb5e8be870b8041e95811b6938b0e39b

SHA1
0209ddd24fcfefc931f151fad03cdb0f627f8152

SHA256
b40f3ad4508d3cc6020dfc9230b40e48441bd8c7e3a3be2962a040b5e5c136fd

SHA512
5ac1c14e8dd2ac65c1167896876f3ff513caa79620d857c246b1c878c665428b792bb4a419e12e33f85d43c19895e7a5f2db885b79d715de770f7a7da31273cf

Download Submit
\Users\Admin\Documents\operador.exe
Filesize
51KB

MD5
09a31892d9e6bbab75d2872dafe87842

SHA1
73e703eaf21da47e7b82966cf4c9d2c8a00a1a8e

SHA256
496416a57a82d62211df726f36aa1b95a58e1f4feb5cc17081da50347bd0e676

SHA512
f38f6b09d0419678460484d8feebe6f2c4f598acff8e26de3440541660b2f8ca9c774913bb22767f99e02d2fbe1d1e121c291b8a3eb8a752811afeb89b65ebe1

Download Submit
memory/1796-3-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-24-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-23-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-0-0x000007FEF55BE000-0x000007FEF55BF000-memory.dmp

Filesize
4KB

Download
memory/1796-47-0x000007FEF5300000-0x000007FEF5C9D000-memory.dmp

Filesize
9.6MB

Download
memory/1796-1-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download
memory/2072-78-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2072-80-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2072-81-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2464-39-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2464-46-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2464-31-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2464-34-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2464-43-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2464-32-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2600-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2600-55-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-26-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-25-0x0000000074151000-0x0000000074152000-memory.dmp

Filesize
4KB

Download
memory/2600-4-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2600-6-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2600-8-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2600-48-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-14-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2600-27-0x0000000074150000-0x00000000746FB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-10-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2600-22-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2600-19-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2600-15-0x0000000000080000-0x0000000000094000-memory.dmp

Filesize
80KB

Download
memory/2720-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-67-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2720-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download