revengerat | a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a | Triage

Submit
Reports

Overview

overview

Static

static

a6bf7a9b69...7a.exe

windows7_x64

a6bf7a9b69...7a.exe

windows10-2004_x64

Sharing

General

Target

a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a
Size

1.2MB
Sample

220418-wp8x2shgdm
MD5

9adfedfedfc7b1d46190e5877a805394
SHA1

34dc9f850ae29c7fc9c741c6f965b1eeda2ebdb0
SHA256

a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a
SHA512

3f7b81d359ff78708c5b3bbc2ec3870747a81c16320a3b3bb83e68bb22e7496acd000769c932e017f242206064ca73297c89381296ca68e72af55f44564f08b0

Score

10^/10

revengerat nyancatrevenge evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe

Resource

win7-20220414-en

revengerat nyancatrevenge evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a.exe

Resource

win10v2004-20220414-en

revengerat nyancatrevenge evasion persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Targets

- Target
  
  a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a
- Size
  
  1.2MB
- MD5
  
  9adfedfedfc7b1d46190e5877a805394
- SHA1
  
  34dc9f850ae29c7fc9c741c6f965b1eeda2ebdb0
- SHA256
  
  a6bf7a9b696448dbc64ed4dfe0c661d6b49d48b421a8b39fa28cb8c9d0b3197a
- SHA512
  
  3f7b81d359ff78708c5b3bbc2ec3870747a81c16320a3b3bb83e68bb22e7496acd000769c932e017f242206064ca73297c89381296ca68e72af55f44564f08b0
Score

10^/10

revengerat nyancatrevenge evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

revengeratnyancatrevengeevasionpersistencetrojan

behavioral2

revengeratnyancatrevengeevasionpersistencetrojan

© 2018-2024

Terms | Privacy