revengerat | 8c61ba7b253707486b186d4cb87add887f6e0d47a82818a0c17f38a1283b28a8

General

Target

ac31a6e33a56b45bdd8cfd2adf58c123.exe
Size

210KB
MD5

ac31a6e33a56b45bdd8cfd2adf58c123
SHA1

2cb2aebfab91b987f6a820bbf91a15ea9855b937
SHA256

8c61ba7b253707486b186d4cb87add887f6e0d47a82818a0c17f38a1283b28a8
SHA512

51a96ceba6ef87a5e9e937648f2d85c535ff1a66ccbde6316485f967db672ac638ebddfb2f59e263b0429c43626fc93e7f779f080a18eec1d3311544d5773030

Score

10^/10

revengerat nyancatrevenge trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

194.5.99.181:4452

Mutex

eac1ab2a222

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Executes dropped EXE 1 IoCs

Processes:

Jjjmzioi.exe

pid process

2024 Jjjmzioi.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2044 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

2044 AcroRd32.exe
2044 AcroRd32.exe
2044 AcroRd32.exe
2044 AcroRd32.exe
2044 AcroRd32.exe

pid	process
2024	Jjjmzioi.exe

pid	process
2044	AcroRd32.exe

pid	process
2044	AcroRd32.exe
2044	AcroRd32.exe
2044	AcroRd32.exe
2044	AcroRd32.exe
2044	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ac31a6e33a56b45bdd8cfd2adf58c123.exe

description	pid	process	target process
PID 1108 wrote to memory of 2024	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	Jjjmzioi.exe
PID 1108 wrote to memory of 2024	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	Jjjmzioi.exe
PID 1108 wrote to memory of 2024	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	Jjjmzioi.exe
PID 1108 wrote to memory of 2024	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	Jjjmzioi.exe
PID 1108 wrote to memory of 2044	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 1108 wrote to memory of 2044	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 1108 wrote to memory of 2044	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 1108 wrote to memory of 2044	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 1108 wrote to memory of 1468	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 1108 wrote to memory of 1468	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 1108 wrote to memory of 1468	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe
PID 1108 wrote to memory of 1468	1108	ac31a6e33a56b45bdd8cfd2adf58c123.exe	AcroRd32.exe

C:\Users\Admin\AppData\Local\Temp\ac31a6e33a56b45bdd8cfd2adf58c123.exe
"C:\Users\Admin\AppData\Local\Temp\ac31a6e33a56b45bdd8cfd2adf58c123.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe
"C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe"
2⤵
- Executes dropped EXE
PID:2024

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nbgoyjcv.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Tcfoxfw.pdf"
2⤵
PID:1468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe
MD5
40edbaf0a7ce2851f0883e49ee1db609

SHA1
40c95af209d9af0cac0de6de62e796a6b9603d8e

SHA256
6457a3a6a96adf2e24c3ce600928e006c50cd90eee46f73146c3507287ba9bc7

SHA512
a0c9d3f38d885e6a2ee0ed157887415f16108e9c26c5a3b2bbd54b51fcf3931d0f6a895edf3313146b1813f7351582bba7adb5cfc22df6169cc892fb4bf0b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jjjmzioi.exe
MD5
40edbaf0a7ce2851f0883e49ee1db609

SHA1
40c95af209d9af0cac0de6de62e796a6b9603d8e

SHA256
6457a3a6a96adf2e24c3ce600928e006c50cd90eee46f73146c3507287ba9bc7

SHA512
a0c9d3f38d885e6a2ee0ed157887415f16108e9c26c5a3b2bbd54b51fcf3931d0f6a895edf3313146b1813f7351582bba7adb5cfc22df6169cc892fb4bf0b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nbgoyjcv.pdf
MD5
7495261386e5a072f068cbdae39d91e5

SHA1
b08800cad2f8d90a58feb45c3400e137ab31eb23

SHA256
1bb04a78b1f43adcef42947ede15aa292f8bf75629d1cecb64e8cf7d713147ab

SHA512
f38cc029ec05f42891ce049f4db1aaf1e5409612fc38afcab6eb9ce2fc9ddf7f1d350b4bdb2d9dd34d4a37257df8e7854caf9f86fd4547b645797a3cee1e347e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcfoxfw.pdf
MD5
ce5c8a69fc77843a6fdd39f2c30524dc

SHA1
e4f84b7d4703c381acef1646bf67bd3a2a0d4d08

SHA256
89ef629ae460cce80ce153f831d814c6031e20d2d8b8671130414f7b9c41ed3d

SHA512
dc76a9fc2b9ccd19dfe24de9b5baffeb1a376789ccf8e942d9013d3e3902f468e6aecc1db38c04f0295afba5ef92317ba30bc0f1ad8e959265897d8d5ab4e4d9

Download Submit
memory/1108-2-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/1108-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1468-9-0x0000000000000000-mapping.dmp

Download
memory/2024-5-0x0000000000000000-mapping.dmp

Download
memory/2044-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads