Skip to content

S0379 Revenge RAT

Revenge RAT is a freely available remote access tool written in .NET (C#).12

Item Value
ID S0379
Associated Names
Version 1.1
Created 02 May 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1123 Audio Capture Revenge RAT has a plugin for microphone interception.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Revenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to survive a system reboot.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.2
enterprise T1059.003 Windows Command Shell Revenge RAT uses cmd.exe to execute commands and run scripts on the victim’s machine.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Revenge RAT uses Base64 to encode information sent to the C2 server.1
enterprise T1202 Indirect Command Execution Revenge RAT uses the Forfiles utility to execute commands on the system.2
enterprise T1105 Ingress Tool Transfer Revenge RAT has the ability to upload and download files.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Revenge RAT has a plugin for keylogging.12
enterprise T1003 OS Credential Dumping Revenge RAT has a plugin for credential harvesting.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Revenge RAT has a plugin to perform RDP access.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Revenge RAT schedules tasks to run malicious scripts at different intervals.2
enterprise T1113 Screen Capture Revenge RAT has a plugin for screen capture.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Revenge RAT uses mshta.exe to run malicious scripts on the system.2
enterprise T1082 System Information Discovery Revenge RAT collects the CPU information, OS information, and system language.1
enterprise T1016 System Network Configuration Discovery Revenge RAT collects the IP address and MAC address from the system.1
enterprise T1033 System Owner/User Discovery Revenge RAT gathers the username from the system.1
enterprise T1125 Video Capture Revenge RAT has the ability to access the webcam.12
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Revenge RAT used as its primary command and control server during a campaign.2

Groups That Use This Software

ID Name References
G0089 The White Company 1