malware-analysis-writeups/RevengeRAT/RevengeRAT.md at main
· itaymigdal/malware-analysis-writeups
By itaymigdal
Archived: 2026-04-05 21:41:39 UTC
Revenge RAT
Malware Name File Type SHA256
Revenge RAT vbs 35513e333c1138e4e1199640d44ea9eca3c91deb6c485f828c898a4e76ab5af5
Analysis process
This infection started from a suspicious email with a link to a file hosted on Onedrive. the downloaded file is a
VBS file. The content is highly obfuscated:
Here i used CMDWatcher in interactive mode in order to catch suspicious process spawns:
We see that the malware dropped a Powershell script to AppData\local\temp . opening it in Powershell_ise:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md
Page 1 of 5

The one main thing that caught my eyes immediately was 2 long byte arrays: "RunPE" and "Bytes". of course
there are a bunch of other interesting stuff but we'll be back to that little later.
I dropped the two files to disk using Powershell:
Observing the "Bytes" file reveals that it is a PE File:
Checking the signature:
So, Dropping it to ILSpy:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md
Page 2 of 5

And here is the malware config :)
We see that this is the "Revenge RAT".
C2: h0pe1759.ddns.net
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md
Page 3 of 5

Qhick googling takes us to the exact repo that this code is taken from:
The code contains a lot of capabilities like taking screenshots, retrieve information, get installed AV and more
(thanks to the malware author for the detailed documentation 😘)
The other file that dropped to disk is a compressed Csharp code that gets compiled at runtime, and his purpose is
to RunPE (AKA process hollowing) the RAT inside the legit InstallUtil.exe Binary (in this case):
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md
Page 4 of 5

While writing these letters i found out a detailed Blogpost on that exact infection by Morphysec.
Source: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md
Page 5 of 5