SYMBOLCOMMON_NAMEaka. SYNONYMS
win.revenant (Back to overview)

Revenant

VTCollection    

According to its author, Revenant is a 3rd party agent for Havoc written in C, and based on Talon. This implant is meant to expand on the Talon implant by implementing covert methods of execution, robust capabilities, and more customization.

References
2022-09-11Github (0xTriboulet)Steve S
Github Repository for Revenant
Revenant
Yara Rules
[TLP:WHITE] win_revenant_auto (20260504 | Detects win.revenant.)
rule win_revenant_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.revenant."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.revenant"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883c308 e8???????? 4839df 75cd 4c01e7 }
            // n = 5, score = 100
            //   4883c308             | mov                 eax, dword ptr [edx + eax]
            //   e8????????           |                     
            //   4839df               | dec                 esp
            //   75cd                 | add                 eax, ecx
            //   4c01e7               | jmp                 0x7a8

        $sequence_1 = { 4883ec60 4889cb e8???????? 488d0dea380000 e8???????? }
            // n = 5, score = 100
            //   4883ec60             | dec                 eax
            //   4889cb               | sub                 ebp, ebx
            //   e8????????           |                     
            //   488d0dea380000       | lea                 edx, [esi - 4]
            //   e8????????           |                     

        $sequence_2 = { 85c0 7521 488b542428 b940000000 41ffd6 4885c0 4889c2 }
            // n = 7, score = 100
            //   85c0                 | jmp                 0xa
            //   7521                 | ret                 
            //   488b542428           | push                esi
            //   b940000000           | je                  0x2a
            //   41ffd6               | dec                 ecx
            //   4885c0               | mov                 eax, esi
            //   4889c2               | mov                 ecx, 2

        $sequence_3 = { 4883ec28 4889cd 4889d3 4c89c7 4a8d0c0a 4c89ce }
            // n = 6, score = 100
            //   4883ec28             | dec                 eax
            //   4889cd               | mov                 ebp, eax
            //   4889d3               | dec                 eax
            //   4c89c7               | add                 esi, esi
            //   4a8d0c0a             | dec                 eax
            //   4c89ce               | mov                 ecx, esi

        $sequence_4 = { 4c8b3d???????? 4889c3 488d44244f 31d2 4d89f1 4889542420 41b800040000 }
            // n = 7, score = 100
            //   4c8b3d????????       |                     
            //   4889c3               | mov                 eax, edx
            //   488d44244f           | dec                 eax
            //   31d2                 | add                 esp, 0x28
            //   4d89f1               | dec                 ecx
            //   4889542420           | lea                 ecx, [edx + ebx]
            //   41b800040000         | inc                 cx

        $sequence_5 = { ff15???????? f644245c01 41b90a000000 7406 440fb74c2460 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   f644245c01           | mov                 eax, dword ptr [esp + 0x28]
            //   41b90a000000         | xor                 edx, edx
            //   7406                 | dec                 eax
            //   440fb74c2460         | mov                 ecx, ebx

        $sequence_6 = { 5f c3 4889c8 803800 7405 }
            // n = 5, score = 100
            //   5f                   | mov                 eax, dword ptr [esp + 0x28]
            //   c3                   | dec                 eax
            //   4889c8               | mov                 ecx, esi
            //   803800               | dec                 eax
            //   7405                 | mov                 edx, dword ptr [esp + 0x20]

        $sequence_7 = { b90a000000 f3ab 4889d9 4889f0 4883c420 5b 5e }
            // n = 7, score = 100
            //   b90a000000           | add                 eax, 2
            //   f3ab                 | dec                 eax
            //   4889d9               | add                 esp, 0x38
            //   4889f0               | pop                 ebx
            //   4883c420             | pop                 esi
            //   5b                   | ret                 
            //   5e                   | push                esi

        $sequence_8 = { 0fb7942448010000 4889d9 e8???????? 8b542440 4889d9 e8???????? 418b542404 }
            // n = 7, score = 100
            //   0fb7942448010000     | dec                 eax
            //   4889d9               | mov                 edx, ebx
            //   e8????????           |                     
            //   8b542440             | dec                 eax
            //   4889d9               | mov                 ecx, edi
            //   e8????????           |                     
            //   418b542404           | inc                 ebp

        $sequence_9 = { 89c5 4889ea 896c244c ff15???????? 448b44244c }
            // n = 5, score = 100
            //   89c5                 | xor                 eax, eax
            //   4889ea               | mov                 dword ptr [esp + 0x2c], eax
            //   896c244c             | dec                 eax
            //   ff15????????         |                     
            //   448b44244c           | lea                 esi, [esp + 0x2c]

    condition:
        7 of them and filesize < 99328
}
Download all Yara Rules