{
	"id": "3299335e-69bc-4316-9b99-087f3d1ffcfb",
	"created_at": "2026-04-06T00:18:02.550677Z",
	"updated_at": "2026-04-10T13:12:55.717167Z",
	"deleted_at": null,
	"sha1_hash": "2da6a1a87148bb75bfd99d7dafaa08f8a867626e",
	"title": "malware-analysis-writeups/RevengeRAT/RevengeRAT.md at main · itaymigdal/malware-analysis-writeups",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3827853,
	"plain_text": "malware-analysis-writeups/RevengeRAT/RevengeRAT.md at main\r\n· itaymigdal/malware-analysis-writeups\r\nBy itaymigdal\r\nArchived: 2026-04-05 21:41:39 UTC\r\nRevenge RAT\r\nMalware Name File Type SHA256\r\nRevenge RAT vbs 35513e333c1138e4e1199640d44ea9eca3c91deb6c485f828c898a4e76ab5af5\r\nAnalysis process\r\nThis infection started from a suspicious email with a link to a file hosted on Onedrive. the downloaded file is a\r\nVBS file. The content is highly obfuscated:\r\nHere i used CMDWatcher in interactive mode in order to catch suspicious process spawns:\r\nWe see that the malware dropped a Powershell script to AppData\\local\\temp . opening it in Powershell_ise:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md\r\nPage 1 of 5\n\nThe one main thing that caught my eyes immediately was 2 long byte arrays: \"RunPE\" and \"Bytes\". of course\r\nthere are a bunch of other interesting stuff but we'll be back to that little later.\r\nI dropped the two files to disk using Powershell:\r\nObserving the \"Bytes\" file reveals that it is a PE File:\r\nChecking the signature:\r\nSo, Dropping it to ILSpy:\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md\r\nPage 2 of 5\n\nAnd here is the malware config :)\r\nWe see that this is the \"Revenge RAT\".\r\nC2: h0pe1759.ddns.net\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md\r\nPage 3 of 5\n\nQhick googling takes us to the exact repo that this code is taken from:\r\nThe code contains a lot of capabilities like taking screenshots, retrieve information, get installed AV and more\r\n(thanks to the malware author for the detailed documentation 😘)\r\nThe other file that dropped to disk is a compressed Csharp code that gets compiled at runtime, and his purpose is\r\nto RunPE (AKA process hollowing) the RAT inside the legit InstallUtil.exe Binary (in this case):\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md\r\nPage 4 of 5\n\nWhile writing these letters i found out a detailed Blogpost on that exact infection by Morphysec.\r\nSource: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md\r\nhttps://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md"
	],
	"report_names": [
		"RevengeRAT.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434682,
	"ts_updated_at": 1775826775,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2da6a1a87148bb75bfd99d7dafaa08f8a867626e.pdf",
		"text": "https://archive.orkl.eu/2da6a1a87148bb75bfd99d7dafaa08f8a867626e.txt",
		"img": "https://archive.orkl.eu/2da6a1a87148bb75bfd99d7dafaa08f8a867626e.jpg"
	}
}