revengerat | 65d6f9753c33e994c63595226ef407ac71ea703bf7cf52eb36ba502b5fa9f153

General

Target

65d6f9753c33e994c63595226ef407ac71ea703bf7cf52eb36ba502b5fa9f153.ps1
Size

30KB
MD5

0f4cb16b0393fb6ec6bdd8a59f7b5e0e
SHA1

a9f39815612f34ac43667b82d379340d91db0318
SHA256

65d6f9753c33e994c63595226ef407ac71ea703bf7cf52eb36ba502b5fa9f153
SHA512

cb6f73fb1180a878cbd426c9d56763418a01637aaa01f5710ad4cf2d73f84fe1f6f20fe4ce69f4f022de03479b02da1c30ddfec8e47cb7144ca3d23f21258d02

Score

10^/10

revengerat nyancatrevenge trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

alice2019.myftp.biz:5050

Mutex

35dd546fe60c401

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLoginWindows10.vbs powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4948 set thread context of 3752 4948 powershell.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4948 powershell.exe
4948 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4948 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLoginWindows10.vbs	powershell.exe

description	pid	process	target process
PID 4948 set thread context of 3752	4948	powershell.exe	AppLaunch.exe

pid	process
4948	powershell.exe
4948	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4948	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 4948 wrote to memory of 2000	4948	powershell.exe	csc.exe
PID 4948 wrote to memory of 2000	4948	powershell.exe	csc.exe
PID 2000 wrote to memory of 4300	2000	csc.exe	cvtres.exe
PID 2000 wrote to memory of 4300	2000	csc.exe	cvtres.exe
PID 4948 wrote to memory of 3752	4948	powershell.exe	AppLaunch.exe
PID 4948 wrote to memory of 3752	4948	powershell.exe	AppLaunch.exe
PID 4948 wrote to memory of 3752	4948	powershell.exe	AppLaunch.exe
PID 4948 wrote to memory of 3752	4948	powershell.exe	AppLaunch.exe
PID 4948 wrote to memory of 3752	4948	powershell.exe	AppLaunch.exe
PID 4948 wrote to memory of 3752	4948	powershell.exe	AppLaunch.exe
PID 4948 wrote to memory of 3752	4948	powershell.exe	AppLaunch.exe
PID 4948 wrote to memory of 3752	4948	powershell.exe	AppLaunch.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\65d6f9753c33e994c63595226ef407ac71ea703bf7cf52eb36ba502b5fa9f153.ps1
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j1zoxa1q\j1zoxa1q.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69EA.tmp" "c:\Users\Admin\AppData\Local\Temp\j1zoxa1q\CSCC424DE07A4F64F1EA9D1729465D133F3.TMP"
3⤵
PID:4300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:3752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES69EA.tmp
Filesize
1KB

MD5
2b2454c00a31d74df765f2e327ff3e33

SHA1
e10f837aa9e7f37e3555c592e5c4c8729dd6e4a4

SHA256
7fc8f70db46ceb379f841bad4b9303f3da6342771210486e52947e51d2fecf77

SHA512
387de21a4ea1a06880fe463f124695e90452a52fe0c5c693526b1186b2415a14c0bb3dbde3fc0778497c02a47837622104fd9a9d6db7f3c8d175939fa51c3611

Download Submit
C:\Users\Admin\AppData\Local\Temp\j1zoxa1q\j1zoxa1q.dll
Filesize
13KB

MD5
ea005f59ac0d78f7b870f51ac790704f

SHA1
599ce0e8d696ae322506cfb559d702ffeb8a30c5

SHA256
578527e663e35de6b75e7928158ca3b661ded42c50dcb90f51304f048b6b7ae7

SHA512
936030ea84d5ac4c0232a86c334ac4181a12bc29d93553d409be036917247e28c1dbb5b2d1419ecad6634f6e77605d4aa0e6a9a581ad028640f76bcd49b73eec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j1zoxa1q\CSCC424DE07A4F64F1EA9D1729465D133F3.TMP
Filesize
652B

MD5
d63e0dd68d239fb56677fee862939b10

SHA1
d486d86640129fdbb8aa6d8d9141d3c02f469143

SHA256
5e0dd404f776c4c2e0a9de17d0fd1d973c465fbe4ea90a7d4df5f3d645fe9e28

SHA512
631016c3fee047d3fdb3b3e19741ca8ade4e032c9c1e605af205dc39b2682ac5a8b720108267012c2015f9a8798f483c0abcb7f8568db1c366ee9c89be4b7316

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j1zoxa1q\j1zoxa1q.0.cs
Filesize
13KB

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j1zoxa1q\j1zoxa1q.cmdline
Filesize
327B

MD5
355dce8a3b223871e0adf40e3d8bbe13

SHA1
8487015be4da86cf729ff153c4b2707463862612

SHA256
3ab59c08182ad25b36bf52ab480eefc3658baa7bf3f650f6bef088202f9303e2

SHA512
ff1953ea73637e64c23e214be8519f1a4a87d7d0f31140ad9a7ad69119b917e2a0f23c15060d338d5d70fc5353e02783e210c64cea396f1a87bba7d3927f16f2

Download Submit
memory/2000-134-0x0000000000000000-mapping.dmp

Download
memory/3752-141-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3752-142-0x000000000040501E-mapping.dmp

Download
memory/3752-144-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/4300-137-0x0000000000000000-mapping.dmp

Download
memory/4948-130-0x000001C7FFA20000-0x000001C7FFA42000-memory.dmp

Filesize
136KB

Download
memory/4948-133-0x000001C79B090000-0x000001C79B5B8000-memory.dmp

Filesize
5.2MB

Download
memory/4948-132-0x000001C7FFE90000-0x000001C7FFF06000-memory.dmp

Filesize
472KB

Download
memory/4948-131-0x00007FFC6B800000-0x00007FFC6C2C1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-143-0x00007FFC6B800000-0x00007FFC6C2C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads