RevengeRAT [Remote Access Trojan]

RevengeRAT is a Remote Access Trojan that since 2016 has been attacking computer globally, and the last attacks have occurred in North America, Asia, the Middle East and Europe.

This type of malware is delivered via spam or phishing emails containing Microsoft Word documents. These documents contain malicious macros which will launch an Object Linking and Embedding (OLE) file. This OLE file will then extract and install an Excel document containing a command to download a malicious JavaScript script.

Once the script is executed it will attempt to disable Windows Defender and Office ProtectedView, before closing Office applications. It will then enable macros for Microsoft Word, PowerPoint and Excel, and create a registry key to obtain a script to download RevengeRAT.

Once executed, RevengeRAT will connect to a command & control server and await further commands. By default, it has the following capabilities:

  • Open a remote shell on the system.
  • Manage Windows system files such as the hosts file.
  • Create, modify or terminate processes and services.
  • Create, modify or delete registry keys.
  • Track the system via IP location.
Lookup of HASH –
6101f3210638a6068a9d40077f958e8d8a99ffed686a48426784f368e0ac021b

The following indicators were identified associated with RevengeRAT, however, may not be exclusive to RevengeRAT

frankmana.duckdns[.]org

workfine11.duckdns[.]org

oldmandnsch.duckdns[.]org

oldmandnsch.duckdns[.]org

blackhagga.duckdns[.]org

skyrocket1.duckdns[.]org

skyrocket1.duckdns[.]org

kronoz.duckdns[.]org

oldmandnsch.duckdns[.]org

kronozzz2.duckdns[.]org

lulla.duckdns[.]org

decent.myvnc[.]com

decent5.myvnc[.]com

jayztools1.ddns[.]net

jayztools2.ddns[.]net

jayztools3.ddns[.]net

totallol.duckdns[.]org

totallol1.duckdns[.]org

totallol2.duckdns[.]org

totallol3.duckdns[.]org

decent2.myvnc[.]com

decent3.myvnc[.]com

decent1.myvnc[.]com

decent4.myvnc[.]com

jordanchen736.sytes[.]net

jordanchen7361.sytes[.]net

jordanchen7362.sytes[.]net

jordanchen7363.sytes[.]net

lalacious1.serveftp[.]com

lalacious2.serveftp[.]com

lalacious3.serveftp[.]com

lalacious4.serveftp[.]com

mastermana1.serveirc[.]com

mastermana2.serveirc[.]com

mastermana3.serveirc[.]com

mastermana4.serveirc[.]com

mastermana5.serveirc[.]com

lullikhao.ddns[.]net

lullikhao1.ddns[.]net

lullikhao2.ddns[.]net

bullol.duckdns[.]org

cocomo.ddns[.]net

haggasinger2.ddns[.]net

haggasinger.ddns[.]net

haggasinger1.ddns[.]net

loramer1.ddnsking[.]com

easykill.servebeer[.]com

easykill3.servebeer[.]com

easykill2.servepics[.]com

easykill1.servepics[.]com

easykill3.servepics[.]com

helloweenhagga.ddns[.]net

helloweenhagga3.ddns[.]net

helloweenhagga4.ddns[.]net

helloweenhagga2.ddns[.]net

revengerx211.sytes[.]net

revengerx212.sytes[.]net

revengerx213.sytes[.]net

revengerx214.sytes[.]net

revengerx215.sytes[.]net

revengerx216.sytes[.]net

revengerx217.sytes[.]net

revengerx218.sytes[.]net

revengerx219.sytes[.]net

revengerx210.sytes[.]net

office365update.duckdns[.]org

systen32.ddns[.]net

bhenchood.ddns[.]net

emmanuelstevo.ddns[.]net

zinderhola1.ddns[.]net

zinderhola.ddns[.]net

myownlogs.duckdns[.]org

cocomo1.ddns[.]net

cocomo10.serveblog[.]net

cocomo2.ddns[.]net

cocomo2.serveblog[.]net

cocomo3.serveblog[.]net

cocomo4.serveblog[.]net

cocomo5.serveblog[.]net

cocomo6.serveblog[.]net

cocomo7.serveblog[.]net

cocomo8.serveblog[.]net

cocomo9.serveblog[.]net

mrcode.hopto[.]org

mrcode1.hopto[.]org

mrcode2.hopto[.]org

pussi2442.ddns[.]net

Malicious Documents and Payloads

6101f3210638a6068a9d40077f958e8d8a99ffed686a48426784f368e0ac021b
89d302cfe11c5fdca420d12cc36d58b449f24ee761b822cb8a22497af7e873ba
248456219c1be39f494301a16cae0a4ed9676be8d1155fa8ba5540d223797e97
82e64d2233cd8e755fecfefbd976f6143138f9b33e037f24a25b05fe9abd5620
1eef9ef568703ba6558923ec88cf960ed86086d87488a188709d32827877f528
9b47e150a9259ae7a6df20f070dc9faf9d5a589347f8db8a9f64c64060cb7606
679f1d59116af145f4f7c1a4d1cdb66e4402b0da906a491e09071e8eac696a16
fa5500a45e98e084b489301fd109676a4d8b0d3b39df4d9e2288569e232a9401
98136bc4323e00f64b63d1035c313bc08fb56af7894ac050b8e9db6961593eef
c365b15cb567da7e9c04dffa0de1cb2b8104d5fe668c17691d8c68380bcd6d30
b9b67c885200f90eaf9c4911b3a7f5e6707bcb51d1b892df1bde11013a60f6b5
ec8ff76234aca351169e7cf4973b8b5d603fa165815107482cbd0d803a829e81
aaabc63bd58fa4b8e2cb79630ea5e24c55f29327cae8ca36aae3219b95100669
c87fb09929159c2dab63d609d7bde992ce979f3545fbe20ddca0a3f263d9603f
abba33bdc8cf21423202b000771ec10d8ab7248f199d8211e53be03c9905b0ed
a4c1a9d4a6be9290a58b282f6b7dc75ebd4d4e3866df4fdab80eac56274aabf1
947ddcefbb1170a6fbd1ba341c773444c1833bedecdb4d6684e05b8555765117
6fe3548e0dc7fb605ee69791b752df0d9f3d8f5db49b2811011ac2a092ab0a28
6def95b2858c043e261b8f4d440abc1436a9dc551906d86a37c5f3331af8cbfc
eacad199f02e26ccdc7a866c18e585f7ee7e2a80ef0325208ddb22b1d059be2f
d2a16840541f905f7bcecf64e2d7dc827f314c4b97daf6e4cc4262fd91fdd14c
61600526307ec08137967b49b230c03ce8a4e1d2f0d58ea2e5d8b2ab3bf92df7
8e6c25f517a69c5da329f858b291b4d146c3fd0dd07c17a1d8a6851cddb347eb
7acd5696306ae7ed8de112f096917487df2d01c2aa66b4b9d2a37ea36b597b1a
2815552fd2f57eba147715331f96387dcb4769d3af816e9db2195e5602fc3a1a
251e3e25584d1a654a395accbcfdb506ec8b9d7039cb3ab725e14415d3c71aad
f5e170571689b393139b9cea484a9683305129ecbf2ab4ebb93fc997ee1d31aa
77a1430cfd728daa7a61e10f3cdc3409104cae1aed65711c8f5ce425c6920cb7
9c8fa4205b2ed8a6f60156bdc39d33a23c6e503cf2f8e69d66bf2980e78bacef
c57ff49bfe21e345c2bde30bc8feb60626f3c7839b1c2e5a1f01b9a567f911d8
8e771cbb12b259d4d12feac34c80e95eb38228dea393d49e0b9cc6f19861847c
abcce639df67279c73f327b2c511183c00ca96555fe481a4ae417bf752c96efa
83d9c57cfc40457b072bdc0e062dd5ca4958a91d8cf3387dbedd99af753da640
5976fca040071eb33ca383412b915e5160133c4e0f8a07bbbaa478ceeee0a890
a5c3c96b655d3115a39875e0303951fef2f2d6119b0af9eaadf57bacfae3f5cb
10d4bd37cd29071186b4ef31341edb79a9ae05c6bc8d26c9850cfeccabb90d1f
89903b38efc7a86da63d547d3d4e3439d64656a030cb289eff4721bc5ada3e13
464f30101630f06013ea65e72b0c043fa1fc83440d9c3367e474d6309d3fe4c9
5e226f1c0729d1fbcf6e074e28009d35e2f6eaa4d4eb0c411892ea56e1299c86
f57fff1b8acdee475b161ec1313452f0fe66077142fc677a63f7914a96890bae
a1879f1f3c2bbb1a4cf8af8e54230c3b0b88c29e37902c88d37ec9d7a1138894
3fa2591b208137d68aa87da931d9cc152a62250b7d26755818f362fa5015a99a
87f43fd2f6c9d1439ceb250e3bd045a07d9a8c214cf17dc66a8c22a3846b6437
4e2997adac5ae57ab92512e5b02e9a5ceb588f287a68387420113ed7b3d347d2
d32f1bd358b97f8f1ae2295c7e8969fab1460d9d54c9528dcfbb42c96a74b31b
f69fff5106fc73672569abc62ad85cfa461c237d9222426db20d6565021c110f
5742ebd53b2b495df0c6bff8ddc17d1726cb8e76e269bd8207b07a0a3ee2b813
d2a2373a386392f72372c9a23b42b43fd2652b6dafce6a6d8d44368ccbfdadb6
b9f74a648b0202109d2c53d68a8474d6eabfefba28bf99a53517ece52da483d5
3088fcd46c51e7ace8aee4e9bfb018aa1d0b0a52fbea62e5ef121e4fe637ebfc
54cba5cfb44379f8a4aac2e1d93d7e8e2ba83afe312d2b1a4f9145846efcd413
00a002607b6e7938292e7ae81ca60d58a091c456ea4343210d4bb610b6edee01
4c29279f341f568056fe9e2ff8bfb2fcaf06b065246329ca9652fcd7986b405d
1d1904dad2df5d677342806cbf1b67b9840d1bc9c85c10928896fcfa91661762
5f762589cdb8955308db4bba140129f172bf2dbc1e979137b6cc7949f7b19e6f
b10519bb52656a09aa146305d8b2ec4aa55f3dba43c633d9de23046798a32a2f
b6db8716bedd23042883f31132fa00b4125c659f2799d239f42105367ff42aec
821e6f3faacb4edafa8ddb60f83a7c8e87845a07ad8d1f8362a7c68cd8a48343
1fd98d66d123d4d0c049b4e1053d22335ef9dcec9fdde398d608c7d7d23ed280
5ca968f9e6a97505abe7c732b5ee573f787b11f294ccbf3a96ae7b77ccce004c
26f5e813e34c05cd1e553224e5c8284ced7fa648d55725416232c24e58546e60
ef837119fc241e8fde85f36f4635a71f6b87aecf39dc979961be914f48c4ef4c
d7c92a8aa03478155de6813c35e84727ac9d383e27ba751d833e5efba3d77946
915535fd77ac89a3a86eca6b3a1f1852f69c141050754f059c094c39a9ee4259
0671a2b4ae1a94edca9f65f7d11199d6526cab1fd53911e114ab772900d8a583
ea3cab2a0b74e30c0d6812e3ef6fcc9e47ea723c98d39fa1e04d5edf03193ff0
de657d3538e96a8d2c74b7c4f8c6fb2e51d67f12d158abfea2964298a722993c
70657b183854550e77633f85d9e63fbf0b01a21131388228985322880b987b9a
bc8a00fddff73accaff5eb5f3a6ca182a5282502d7af054ca9176d2e98a5116a
c3f36883ebf928c8403e068648299b53b09fecb0f56986980319e83f13dc296c
0e5011ee17c5f9bbcad8df4dc2a971fe56346f8ca7ce4e93d25f3b02086c581c
51147c260c18d3e766006ae4ffa216d4c178c8ee669a83391fab0de98da24b27
e1eb9daa5fb43b9f07e2b75f931a815fd5adf7e3f8d4f885740202af886402da
08883b4d7081d51bb9d9429f856c7c4c95f47a22f38aeb48b7772635d718c7ca
12a7ac8838681a95339e24683c0c8e6410a040a8a8ce5fe72bc175b724cb0aa9

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: