revengerat | 83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 22:00

Target

83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe
Size

903KB
MD5

dcfb06761c3f85dfb38a098e7fdb6c19
SHA1

50adaccfb0862ec180a3effd72a5131ebd360490
SHA256

83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365
SHA512

b725c65b0f97adc36168c507b21b78ef71902d6e8a15f32104f93a14f2e4fd6a023cb4df5f18c7fff9cf2eb19067adbe495868f72c59acf3c48ee88a38728613
SSDEEP

24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHaKZa5X:gh+ZkldoPK8YaKGX

Score

10^/10

Family

revengerat

Botnet

Marzo26

marzorevenger.duckdns.org:4230

Mutex

RV_MUTEX-PiGGjjtnxDpn

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Drops startup file 1 IoCs

Processes:

83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url 83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe

description pid process target process

PID 936 set thread context of 4712 936 83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 4712 RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioHandlers.url	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe

description	pid	process	target process
PID 936 set thread context of 4712	936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4712	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe

pid	process
936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe
936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe
936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe

pid	process
936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe
936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe
936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe

description	pid	process	target process
PID 936 wrote to memory of 4712	936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe	RegAsm.exe
PID 936 wrote to memory of 4712	936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe	RegAsm.exe
PID 936 wrote to memory of 4712	936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe	RegAsm.exe
PID 936 wrote to memory of 4712	936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe	RegAsm.exe
PID 936 wrote to memory of 4712	936	83240c5297f75f8b4a49c1c16afde6fa0db4c0f00e3f515ecf13c889eea0b365.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712

memory/936-0-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4712-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4712-5-0x0000000073692000-0x0000000073693000-memory.dmp

Filesize
4KB

Download
memory/4712-6-0x0000000073690000-0x0000000073C41000-memory.dmp

Filesize
5.7MB

Download
memory/4712-7-0x0000000073690000-0x0000000073C41000-memory.dmp

Filesize
5.7MB

Download
memory/4712-11-0x0000000073692000-0x0000000073693000-memory.dmp

Filesize
4KB

Download
memory/4712-12-0x0000000073690000-0x0000000073C41000-memory.dmp

Filesize
5.7MB

Download