{
	"id": "ba1a6084-3732-41b9-8554-c93fc5fd784c",
	"created_at": "2026-04-06T00:21:01.274803Z",
	"updated_at": "2026-04-10T03:20:44.865114Z",
	"deleted_at": null,
	"sha1_hash": "2c4b380e2f86c77558b9a339864327c2253bc034",
	"title": "Fileless Revenge RAT Malware - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3493796,
	"plain_text": "Fileless Revenge RAT Malware - ASEC\r\nBy ATCP\r\nPublished: 2024-02-05 · Archived: 2026-04-05 18:53:44 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that\r\nhad been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’\r\nand ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious\r\nfile, making it difficult for users to realize that a malicious activity has occurred.\r\nAs shown in the code below, the threat actor creates and runs Setup.exe (malicious file) before executing smtp-verifier.exe (legitimate tool). The created file’s property changes to ‘Hidden’ and the file becomes hidden from\r\ntypical Windows Explorer environments.\r\nhttps://asec.ahnlab.com/en/61584/\r\nPage 1 of 7\n\nThe figure below shows the overall flow of the malicious activities that follow afterward. Many files are generated\r\nin the process, with the threat actor’s ultimate goal being running the Revenge RAT malware.\r\nThe malicious file “setup.exe” created with the legitimate tool only plays the role of generating additional\r\nmalware as shown below.\r\n[ Setup.exe ]\r\n1. Creates and runs svchost.exe in the %appdata%Microsoft\\Windows\\Templates path with the\r\nFileAttribute.Hidden property\r\n2. Registers the generated svchost.exe into the registry for autorun (Value Name: Microsoft Corporation Security)\r\nhttps://asec.ahnlab.com/en/61584/\r\nPage 2 of 7\n\nsvchost.exe performs the following actions:\r\n[ svchost.exe ]\r\n1. Connects to C2 (hxxps://***********[.]blogspot.com) and downloads the HTML file\r\n2. The threat actor reads and decompresses the specific annotation and creates and runs the file explorer.exe in the\r\n%appdata%Microsoft\\Windows\\Templates path.\r\nThe C2 is disguised as an ordinary blog and contains the malicious file in the annotation line of a specific offset.\r\nThe threat actor reads the value between \u003c!–1111 – 2222–\u003e written inside the HTML file, performs Base64-\r\ndecoding, decompresses it, and generates additional malware.\r\nIf the C2 URL mentioned in Step 1 is inaccessible, the threat actor accesses a different C2 URL\r\n(hxxp://**********.***********[.]com/2023/explorer.txt). When connected, a new C2 URL is returned which is\r\nalso disguised as a normal blog. The threat actor deployed this mechanism in case the existing C2 URL is blocked\r\nor when the threat actor updates the new C2.\r\nhttps://asec.ahnlab.com/en/61584/\r\nPage 3 of 7\n\nThe malicious file (explorer.exe) extracted from the C2’s HTML file performs the following actions:\r\n[ explorer.exe ]\r\n1. Creates version.exe file in the %appdata%Microsoft\\Windows\\ path\r\n2. Creates an .inf file that includes the path of version.exe in the %temp% path and executes it by sending it as an\r\nargument to cmstp.exe\r\n(CMSTP Defense Evasion)\r\n3. Runs Revenge RAT as fileless\r\nThe generated version.exe performs a simple task shown below:\r\n[ version.exe ]\r\n1. Registers the files used in the attack as an exception on Windows Defender using the PowerShell command\r\nThe threat actor then sends version.exe to cmstp and runs it. This is the CMSTP Evasion, a technique of running\r\na malicious file as a basic Windows program (cmstp.exe) to bypass antivirus detection. MITRE ATT\u0026CK\r\ncategorizes the CMSTP Evasion technique as a System Binary Proxy Execution: the CMSTP (T1218.003)\r\ntechnique. This technique was introduced in ASEC Blog’s previous articles [1][2] (these reports support Korean\r\nonly for now) and is commonly used in various malware strains.\r\nThe .inf file that will be sent to cmstp.exe as an argument is generated with a random filename (g1rfp0hb.inf at the\r\ntime of analysis) in the %temp% path. It exists in the form of a template inside the resource area within\r\nexplorer.exe. The path is replaced with the version.exe’s path when the ‘REPLACE_COMMAND_LINE’ string is\r\ngenerated.\r\nhttps://asec.ahnlab.com/en/61584/\r\nPage 4 of 7\n\nThe version.exe launched using the CMSTP Evasion technique executes the following command and registers the\r\nmalicious files used in the attack as an exception to Windows Defender. It can be noted that most of the malicious\r\nfiles such as explorer and svchost used in the attack phase are named after Windows’ default programs.\r\ncmd.exe /c PoserShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath\r\n%appdata%\\Microsoft\\Windows\\explorer.exe\r\n%appdata%\\Microsoft\\Windows\\Cortana.exe\r\n%appdata%\\Microsoft\\Windows\\OneDrive.exe\r\n%appdata%\\Microsoft\\Windows\\Templates\\svchost.exe\r\n%appdata%\\Microsoft\\Windows\\SystemSettings.exe\r\n%appdata%\\Microsoft\\Windows\\Taskmgr.exe\r\nAfterward, the threat actor reads the binary from the resource area and uses the DES algorithm to decrypt it to\r\nfinally reveal the threat actor’s end goal, the Revenge RAT. MITRE ATT\u0026CK categorizes RAT as Revenge RAT\r\n(S0379), and includes malicious activities such as the collection of system information, screen capture,\r\nkeylogging, additional malware download, and script execution.\r\nRevenge RAT is run fileless inside the memory. It collects data from the victim’s PC and sends it to C2\r\n(qcpanel.hackcrack[.]io:9561) in a Base64-encoded format. The types of user data stolen are shown below:\r\n[ Stolen Data ]\r\n1. PC and user name\r\n2. System information such as the OS, CPU, and drive capacity\r\n3. Information of the parent process used to execute itself (Revenge RAT)\r\n4. IP address and region information\r\n5. Names of anti-virus and firewall products in use\r\nhttps://asec.ahnlab.com/en/61584/\r\nPage 5 of 7\n\nUsers must take extra caution when using open source or public tools like the ones mentioned in this article, and\r\nalways download them from the official website.\r\n[File Detection]\r\n– Trojan/Win.Generic.C4223332\r\n– Trojan/Win.Generic.C5583117\r\n– Dropper/Win.Generic.C5445718\r\n– Dropper/Win.Generic.R634030\r\n– Backdoor/Win.REVENGERAT.C5582863\r\n– Backdoor/Win.REVENGERAT.R634026\r\nMD5\r\n1242c41211464efab297bfa6c374223e\r\n304e264473717fad8f7c6970212eaaa7\r\n42779ab18cf6367e7b91e621646237d1\r\n438817d3938ae5758d94bf2022a44505\r\n5e24e97bbc8354e13ee3ab70da2f3af6\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//amazonhost[.]thedreamsop[.]com/2023/explorer[.]txt\r\nhttp[:]//qcpanel[.]hackcrack[.]io[:]9561/\r\nhttps[:]//proxy-cheap[.]blogspot[.]com/\r\nhttps://asec.ahnlab.com/en/61584/\r\nPage 6 of 7\n\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/61584/\r\nhttps://asec.ahnlab.com/en/61584/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/61584/"
	],
	"report_names": [
		"61584"
	],
	"threat_actors": [],
	"ts_created_at": 1775434861,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c4b380e2f86c77558b9a339864327c2253bc034.pdf",
		"text": "https://archive.orkl.eu/2c4b380e2f86c77558b9a339864327c2253bc034.txt",
		"img": "https://archive.orkl.eu/2c4b380e2f86c77558b9a339864327c2253bc034.jpg"
	}
}