revengerat | f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b | Triage

Submit
Reports

Overview

overview

Static

static

f9a9a3d9a0...2b.exe

windows7_x64

3

f9a9a3d9a0...2b.exe

windows10-2004_x64

Sharing

General

Target

f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b
Size

207KB
Sample

220502-cwqv9saag8
MD5

baab6b920f71c23fad1133d8e57aa215
SHA1

af630b8a873326645751c9fba78de715d91ae211
SHA256

f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b
SHA512

7147023f94a01eada51170916a33da140224b514c6da71bc59cee0afa531fd9086a86f053e10c07e1a597edae39f163ea89f7eef86f69701ca676d49d089e889

Score

10^/10

revengerat nyancatrevenge evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b.exe

Resource

win7-20220414-en

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b.exe

Resource

win10v2004-20220414-en

revengerat nyancatrevenge evasion persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Targets

- Target
  
  f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b
- Size
  
  207KB
- MD5
  
  baab6b920f71c23fad1133d8e57aa215
- SHA1
  
  af630b8a873326645751c9fba78de715d91ae211
- SHA256
  
  f9a9a3d9a05659903c55f793e8b5cc34455da1994e5b6fb4747b1d661a4f5e2b
- SHA512
  
  7147023f94a01eada51170916a33da140224b514c6da71bc59cee0afa531fd9086a86f053e10c07e1a597edae39f163ea89f7eef86f69701ca676d49d089e889
Score

10^/10

revengerat nyancatrevenge evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

revengeratnyancatrevengeevasionpersistencetrojan

© 2018-2024

Terms | Privacy