revengerat | c5d1c57f289c7f9f692ad7971b08ec1392082eda028916ff33c27da1c8c3326b

General

Target

TENDER_N.EXE
Size

742KB
MD5

868ca3e861260b5080c62eda3880c425
SHA1

8d1dd70950daa651261a429baa0f63332bc690ca
SHA256

c125ad338e09169f93f9ba82a8eb533619ae2087dd2a84563da1c6a3ef68e3d1
SHA512

5ac65a3230f465a2fccad3101261500a2fe923d6ee67990e235b255a8f85529250a93fdbac5a304c93207605f8186bbd4500fb8febb6ffd0e8a8e44b159b19af

Score

10^/10

revengerat nyancatrevenge evasion persistence trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

10eef43648e54083

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

TENDER_N.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TENDER_N.EXE\""	TENDER_N.EXE

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Drops startup file 2 IoCs

Processes:

TENDER_N.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE	TENDER_N.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE	TENDER_N.EXE

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

TENDER_N.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	TENDER_N.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	TENDER_N.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	TENDER_N.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	TENDER_N.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	TENDER_N.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE = "0"	TENDER_N.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE = "0"	TENDER_N.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	TENDER_N.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	TENDER_N.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	TENDER_N.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	TENDER_N.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TENDER_N.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TENDER_N.EXE"	TENDER_N.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\TENDER_N.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TENDER_N.EXE"	TENDER_N.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

TENDER_N.EXE

description pid process target process

PID 3888 set thread context of 2480 3888 TENDER_N.EXE TENDER_N.EXE

description	pid	process	target process
PID 3888 set thread context of 2480	3888	TENDER_N.EXE	TENDER_N.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TENDER_N.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	TENDER_N.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TENDER_N.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2388	powershell.exe
3736	powershell.exe
3968	powershell.exe
64	powershell.exe
3736	powershell.exe
2388	powershell.exe
3968	powershell.exe
64	powershell.exe
2388	powershell.exe
3736	powershell.exe
3968	powershell.exe
64	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

TENDER_N.EXEpowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3888	TENDER_N.EXE
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	64	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

TENDER_N.EXE

description	pid	process	target process
PID 3888 wrote to memory of 3736	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 3736	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 3736	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 3968	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 3968	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 3968	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 2388	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 2388	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 2388	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 64	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 64	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 64	3888	TENDER_N.EXE	powershell.exe
PID 3888 wrote to memory of 2480	3888	TENDER_N.EXE	TENDER_N.EXE
PID 3888 wrote to memory of 2480	3888	TENDER_N.EXE	TENDER_N.EXE
PID 3888 wrote to memory of 2480	3888	TENDER_N.EXE	TENDER_N.EXE
PID 3888 wrote to memory of 2480	3888	TENDER_N.EXE	TENDER_N.EXE
PID 3888 wrote to memory of 2480	3888	TENDER_N.EXE	TENDER_N.EXE
PID 3888 wrote to memory of 2480	3888	TENDER_N.EXE	TENDER_N.EXE
PID 3888 wrote to memory of 2480	3888	TENDER_N.EXE	TENDER_N.EXE
PID 3888 wrote to memory of 2480	3888	TENDER_N.EXE	TENDER_N.EXE

C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE
"C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TENDER_N.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE
"C:\Users\Admin\AppData\Local\Temp\TENDER_N.EXE"
2⤵
- Checks processor information in registry
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

5

T1112

Disabling Security Tools

3

T1089

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0dae0e774db5abb82a4016d6c6e96448

SHA1
705338641dad83b3673dc6718c0c73d7fe784a5a

SHA256
d7ce7accfaaa3c1d8e7ca2a63890e8ce2f8f6d17a72f00e96d1ad4e23e16bad8

SHA512
5a49cca6f94997468777ce0446005ab0d71c5274d07ce120a2623db95cb7e658766f209999d6421f23e643b73845887f3d5345f092b657536af183185e133178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
26650a9d29fb8c872011f68406db3c42

SHA1
272251f642694ec0c76be781e049300b4bbb0189

SHA256
c0e22e98f6952b6235b0cf8dc051d5751e697fd9ef6e5a9f82836567ab6f73ae

SHA512
f93494f368ceb32b77c0b410b90f6203a5c363ea9629ab86c01833e9a49106a30245a93476fd9f78a12cd79b31781effbdb6f06227b7838ece681bcdce74f030

Download Submit
memory/64-22-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/64-14-0x0000000000000000-mapping.dmp

Download
memory/2388-42-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

Filesize
4KB

Download
memory/2388-18-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/2388-50-0x0000000008650000-0x0000000008651000-memory.dmp

Filesize
4KB

Download
memory/2388-12-0x0000000000000000-mapping.dmp

Download
memory/2388-45-0x00000000083B0000-0x00000000083B1000-memory.dmp

Filesize
4KB

Download
memory/2480-98-0x000000000040502E-mapping.dmp

Download
memory/2480-97-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2480-99-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3736-13-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3736-56-0x0000000009420000-0x0000000009453000-memory.dmp

Filesize
204KB

Download
memory/3736-17-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/3736-10-0x0000000000000000-mapping.dmp

Download
memory/3736-82-0x00000000095B0000-0x00000000095B1000-memory.dmp

Filesize
4KB

Download
memory/3736-78-0x00000000071F0000-0x00000000071F1000-memory.dmp

Filesize
4KB

Download
memory/3736-112-0x00000000098F0000-0x00000000098F1000-memory.dmp

Filesize
4KB

Download
memory/3736-15-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/3888-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3888-7-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3888-8-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/3888-9-0x00000000056F0000-0x000000000570B000-memory.dmp

Filesize
108KB

Download
memory/3888-2-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3888-6-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/3888-5-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/3968-28-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/3968-94-0x0000000009150000-0x0000000009151000-memory.dmp

Filesize
4KB

Download
memory/3968-33-0x0000000007810000-0x0000000007811000-memory.dmp

Filesize
4KB

Download
memory/3968-104-0x0000000009100000-0x0000000009101000-memory.dmp

Filesize
4KB

Download
memory/3968-31-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/3968-26-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

Filesize
4KB

Download
memory/3968-16-0x0000000073A20000-0x000000007410E000-memory.dmp

Filesize
6.9MB

Download
memory/3968-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads