revengerat | 3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7 | Triage

Submit
Reports

Overview

overview

Static

static

3f62f75c02...a7.exe

windows7_x64

3f62f75c02...a7.exe

windows10-2004_x64

Sharing

General

Target

3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7
Size

217KB
Sample

220508-jb73daebaj
MD5

28410510706c74c2ca6494f036ebbd94
SHA1

4068e6a8618dc47a08962f91121c7bedf51e2407
SHA256

3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7
SHA512

f429fcba47b03e96be57219ecf7ff1d435510600eae6772bfddc11354d357325aaa140b6db16c8c0bdbfa6a615ff72223ed332472b7c02c7a8754d342a2cf952

Score

10^/10

revengerat nyancatrevenge evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7.exe

Resource

win7-20220414-en

revengerat nyancatrevenge evasion persistence trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7.exe

Resource

win10v2004-20220414-en

revengerat nyancatrevenge evasion persistence trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Targets

- Target
  
  3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7
- Size
  
  217KB
- MD5
  
  28410510706c74c2ca6494f036ebbd94
- SHA1
  
  4068e6a8618dc47a08962f91121c7bedf51e2407
- SHA256
  
  3f62f75c0294381629c8cb14382a5ab1d27e83966014961a414cd9411abd27a7
- SHA512
  
  f429fcba47b03e96be57219ecf7ff1d435510600eae6772bfddc11354d357325aaa140b6db16c8c0bdbfa6a615ff72223ed332472b7c02c7a8754d342a2cf952
Score

10^/10

revengerat nyancatrevenge evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

revengeratnyancatrevengeevasionpersistencetrojan

behavioral2

revengeratnyancatrevengeevasionpersistencetrojan

© 2018-2024

Terms | Privacy