revengerat | 68dd35d8e090d38ce3f32e1cd62cbc8694c1119eda4bdfb27d90a83e31336d92 | Triage

Submit
Reports

Overview

overview

Static

static

1

Reserva Detalhes.ppam

windows7-x64

Reserva Detalhes.ppam

windows10-2004-x64

Sharing

General

Target

Reserva Detalhes.ppam
Size

12KB
Sample

240606-sblc2sgf79
MD5

ccf9ad38175132df46d557052a4189c7
SHA1

cfe31d9d10e6459f7d6c9cad1d7b1a001f049e7d
SHA256

68dd35d8e090d38ce3f32e1cd62cbc8694c1119eda4bdfb27d90a83e31336d92
SHA512

005ff866a2b2c406d3b7be8016d24a21fca21ceb31510accb73cdbca68e0eb76259b97fb6ec504ea397990a85c2b2d5c1a89de6c2245d953e6d97cfd39116347
SSDEEP

384:dXP8BPMpJA8+SC0hUYRknWyGzfisnru6C86:VP4PMpJ3vhJytou6P6

Score

10^/10

revengerat nyancatrevenge execution persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

Reserva Detalhes.ppam

Resource

win7-20240508-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

Reserva Detalhes.ppam

Resource

win10v2004-20240426-en

revengerat nyancatrevenge execution persistence trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/gk5zDwdG

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

marcelotatuape.ddns.net:333

Mutex

1702a2bb715848

Targets

- Target
  
  Reserva Detalhes.ppam
- Size
  
  12KB
- MD5
  
  ccf9ad38175132df46d557052a4189c7
- SHA1
  
  cfe31d9d10e6459f7d6c9cad1d7b1a001f049e7d
- SHA256
  
  68dd35d8e090d38ce3f32e1cd62cbc8694c1119eda4bdfb27d90a83e31336d92
- SHA512
  
  005ff866a2b2c406d3b7be8016d24a21fca21ceb31510accb73cdbca68e0eb76259b97fb6ec504ea397990a85c2b2d5c1a89de6c2245d953e6d97cfd39116347
- SSDEEP
  
  384:dXP8BPMpJA8+SC0hUYRknWyGzfisnru6C86:VP4PMpJ3vhJytou6P6
Score

10^/10

revengerat nyancatrevenge execution persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

JavaScript

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

revengeratnyancatrevengeexecutionpersistencetrojan

© 2018-2024

Terms | Privacy