# Revenge RAT

**[github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md](https://github.com/itaymigdal/malware-analysis-writeups/blob/main/RevengeRAT/RevengeRAT.md)**

itaymigdal


**Malware**
**Name**

Revenge
RAT


**File**
**Type** **SHA256**

vbs 35513e333c1138e4e1199640d44ea9eca3c91deb6c485f828c898a4e76ab5af5


## Analysis process

This infection started from a suspicious email with a link to a file hosted on Onedrive. the
downloaded file is a VBS file. The content is highly obfuscated:

[Here i used CMDWatcher in interactive mode in order to catch suspicious process](https://www.kahusecurity.com/posts/cmd_watcher_updated.html)
spawns:


-----

We see that the malware dropped a Powershell script to `AppData\local\temp .`
opening it in Powershell_ise:

The one main thing that caught my eyes immediately was 2 long byte arrays: "RunPE"
and "Bytes". of course there are a bunch of other interesting stuff but we'll be back to that
little later.

I dropped the two files to disk using Powershell:

Observing the "Bytes" file reveals that it is a PE File:


-----

Checking the signature:

So, Dropping it to ILSpy:


-----

And here is the malware config :)

We see that this is the "Revenge RAT".

C2: h0pe1759.ddns.net

Qhick googling takes us to the exact repo that this code is taken from:

The code contains a lot of capabilities like taking screenshots, retrieve information, get
installed AV and more (thanks to the malware author for the detailed documentation 😘)

The other file that dropped to disk is a compressed Csharp code that gets compiled at
runtime, and his purpose is to RunPE (AKA process hollowing) the RAT inside the legit
InstallUtil.exe Binary (in this case):


-----

[While writing these letters i found out a detailed Blogpost on that exact infection by](https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader)
Morphysec.


-----