revengerat | 061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc | Triage

Submit
Reports

Overview

overview

Static

static

061f672278...bc.exe

windows7_x64

061f672278...bc.exe

windows10-2004_x64

Sharing

General

Target

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc
Size

170KB
Sample

220418-t3y9naadc7
MD5

6bdd0461ce6cf27ac8ee5615e0da1c70
SHA1

517560e5361084641380f349e005d6e3ce5c3a26
SHA256

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc
SHA512

bacb364508f71dcbffca34c9481b528e9394fb1d939bc81a810dcacff87d6e9ff8eca8c683dfbc23ee2f76795bb3fda4d5e8089ab3e2d8304f123570fd1f0c84

Score

10^/10

revengerat nyancatrevenge evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Resource

win7-20220414-en

revengerat nyancatrevenge evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc.exe

Resource

win10v2004-20220414-en

revengerat nyancatrevenge evasion persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Targets

- Target
  
  061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc
- Size
  
  170KB
- MD5
  
  6bdd0461ce6cf27ac8ee5615e0da1c70
- SHA1
  
  517560e5361084641380f349e005d6e3ce5c3a26
- SHA256
  
  061f6722784aedb82b0c2ab822c0e08ceaa88bf10eb8aed80bbd4ebd056de9bc
- SHA512
  
  bacb364508f71dcbffca34c9481b528e9394fb1d939bc81a810dcacff87d6e9ff8eca8c683dfbc23ee2f76795bb3fda4d5e8089ab3e2d8304f123570fd1f0c84
Score

10^/10

revengerat nyancatrevenge evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

revengeratnyancatrevengeevasionpersistencetrojan

behavioral2

revengeratnyancatrevengeevasionpersistencetrojan

© 2018-2024

Terms | Privacy