Overview

overview

10

Static

static

SKM-21022100.js

windows7_x64

10

SKM-21022100.js

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SKM-21022100.js

  • Size

    213KB

  • Sample

    220107-jj9k6sbhh8

  • MD5

    0618efa95ebe9c933466fdf795961c43

  • SHA1

    6e93f7b03f1149f821b57176a4b838c7365572ac

  • SHA256

    7f5baba61bce87f124d7c559767fb067e00743141554fcc76b87d1e39ee4e074

  • SHA512

    e59cf7c7323ebbbb0542ff8a62fb988dfac9f590987dce3b4efce79e0609a654a92622b7dc605f6894801db105183540dfae6f3e876026398d938505fb262d42

Score
10/10
bitratrevengeratnyancatrevengeevasionpersistencetrojanupx

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

macjoe597.duia.ro:3175

Mutex

1e858dc786914c61

Extracted

Family

bitrat

Version

1.38

C2

severdops.ddns.net:3071

Attributes
  • communication_password

    29ef52e7563626a96cea7f4b4085c124

  • tor_process

    tor

Targets

    • Target

      SKM-21022100.js

    • Size

      213KB

    • MD5

      0618efa95ebe9c933466fdf795961c43

    • SHA1

      6e93f7b03f1149f821b57176a4b838c7365572ac

    • SHA256

      7f5baba61bce87f124d7c559767fb067e00743141554fcc76b87d1e39ee4e074

    • SHA512

      e59cf7c7323ebbbb0542ff8a62fb988dfac9f590987dce3b4efce79e0609a654a92622b7dc605f6894801db105183540dfae6f3e876026398d938505fb262d42

    Score
    10/10
    bitratrevengeratnyancatrevengeevasionpersistencetrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Windows security bypass

      evasiontrojan

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks