General

  • Target

    3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7

  • Size

    217KB

  • Sample

    220508-jb73daebaj

  • MD5

    28410510706c74c2ca6494f036ebbd94

  • SHA1

    4068e6a8618dc47a08962f91121c7bedf51e2407

  • SHA256

    3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7

  • SHA512

    f429fcba47b03e96be57219ecf7ff1d435510600eae6772bfddc11354d357325aaa140b6db16c8c0bdbfa6a615ff72223ed332472b7c02c7a8754d342a2cf952

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Targets

    • Target

      3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7

    • Size

      217KB

    • MD5

      28410510706c74c2ca6494f036ebbd94

    • SHA1

      4068e6a8618dc47a08962f91121c7bedf51e2407

    • SHA256

      3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7

    • SHA512

      f429fcba47b03e96be57219ecf7ff1d435510600eae6772bfddc11354d357325aaa140b6db16c8c0bdbfa6a615ff72223ed332472b7c02c7a8754d342a2cf952

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Windows security modification

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

4
T1089

Install Root Certificate

1
T1130

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Command and Control

Web Service

1
T1102

Tasks