General
-
Target
f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b
-
Size
207KB
-
Sample
220502-cwqv9saag8
-
MD5
baab6b920f71c23fad1133d8e57aa215
-
SHA1
af630b8a873326645751c9fba78de715d91ae211
-
SHA256
f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b
-
SHA512
7147023f94a01eada51170916a33da140224b514c6da71bc59cee0afa531fd9086a86f053e10c07e1a597edae39f163ea89f7eef86f69701ca676d49d089e889
Static task
static1
Behavioral task
behavioral1
Sample
f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
revengerat
NyanCatRevenge
hpdndbnb.duckdns.org:2404
90a49aa7c27647e
Targets
-
-
Target
f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b
-
Size
207KB
-
MD5
baab6b920f71c23fad1133d8e57aa215
-
SHA1
af630b8a873326645751c9fba78de715d91ae211
-
SHA256
f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b
-
SHA512
7147023f94a01eada51170916a33da140224b514c6da71bc59cee0afa531fd9086a86f053e10c07e1a597edae39f163ea89f7eef86f69701ca676d49d089e889
Score10/10-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-