revengerat | b1313253704746db20556908eea196d8f909f7332a3ff934c57e7385facc2a9a

General

Target

b1313253704746db20556908eea196d8f909f7332a3ff934c57e7385facc2a9a.ps1
Size

30KB
MD5

9c0e668b4ffffb0b2b9348cc0fd100d7
SHA1

6b1f8046633b3d4bca139d5601005a1a7b01aa99
SHA256

b1313253704746db20556908eea196d8f909f7332a3ff934c57e7385facc2a9a
SHA512

c3cfec27f0afd66ffa196679a2d5edd55b81c74dc854f707df188a00f9c8dce31df67843119f957c7788a099708f51c915e918a47ac567b3fc24d5da1d33b14b

Score

10^/10

revengerat nyancatrevenge trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

alice2019.myftp.biz:5050

Mutex

35dd546fe60c401

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Drops startup file 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLoginWindows10.vbs powershell.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2388 set thread context of 2732 2388 powershell.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2388 powershell.exe
2388 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2388 powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemLoginWindows10.vbs	powershell.exe

description	pid	process	target process
PID 2388 set thread context of 2732	2388	powershell.exe	AppLaunch.exe

pid	process
2388	powershell.exe
2388	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2388	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.execsc.exe

description	pid	process	target process
PID 2388 wrote to memory of 1312	2388	powershell.exe	csc.exe
PID 2388 wrote to memory of 1312	2388	powershell.exe	csc.exe
PID 1312 wrote to memory of 4556	1312	csc.exe	cvtres.exe
PID 1312 wrote to memory of 4556	1312	csc.exe	cvtres.exe
PID 2388 wrote to memory of 2732	2388	powershell.exe	AppLaunch.exe
PID 2388 wrote to memory of 2732	2388	powershell.exe	AppLaunch.exe
PID 2388 wrote to memory of 2732	2388	powershell.exe	AppLaunch.exe
PID 2388 wrote to memory of 2732	2388	powershell.exe	AppLaunch.exe
PID 2388 wrote to memory of 2732	2388	powershell.exe	AppLaunch.exe
PID 2388 wrote to memory of 2732	2388	powershell.exe	AppLaunch.exe
PID 2388 wrote to memory of 2732	2388	powershell.exe	AppLaunch.exe
PID 2388 wrote to memory of 2732	2388	powershell.exe	AppLaunch.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\b1313253704746db20556908eea196d8f909f7332a3ff934c57e7385facc2a9a.ps1
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ox1a3ekd\ox1a3ekd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C8A.tmp" "c:\Users\Admin\AppData\Local\Temp\ox1a3ekd\CSC52DA5C601900492DB87DFC33F4D46DB.TMP"
3⤵
PID:4556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6C8A.tmp
Filesize
1KB

MD5
df604da4f06a86a1c57362d817ea5aad

SHA1
cb52833f6efd70a2624d17765e9fdfbe92b12675

SHA256
72c017ddfd86096d353ff0a2d084d1a54cc67217ef432dade5283653fb84b8ba

SHA512
a71845ec9bf9b7c06ec067fc96c0ba5909054b205cb6ea0f19eadafd13c1551bf64dd355960c8e9bf9e782fab09eec21de6149dfe25a30fa7085bea55d32f636

Download Submit
C:\Users\Admin\AppData\Local\Temp\ox1a3ekd\ox1a3ekd.dll
Filesize
13KB

MD5
eabab81d93a5bbcb2a0137e13b57e83d

SHA1
810b12f64a797d025d14e0a417ef0371f24798db

SHA256
4c8819781f306d6e5a97f2f3501b1c6c54fe2eb37a71d1a91de2ca35dadfdfd4

SHA512
cd8a416db5727c1e5e57175ee2b42c91f65bb2df6136b4c889d44854b6dcc99de8dea9678515bb2bb2aa5dd5d8d35ace46fc12843a3aac4127f0786332ee87e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ox1a3ekd\CSC52DA5C601900492DB87DFC33F4D46DB.TMP
Filesize
652B

MD5
525e5e313657dcaefdd16b0dae80e0ef

SHA1
39e94f9320848ebb046ba16bc6a65e0f412162f3

SHA256
94bc595829821516abffafa6c5c160a234a8e45832aa51978010f5e9a0d02f67

SHA512
a45335b1d542843c8f4cc0b37ed5b79b18be4171361bc17aba201e3f97d36b8960cc0188c7132a68115624e1fad8474a32c09e003401ea187a473841df675e64

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ox1a3ekd\ox1a3ekd.0.cs
Filesize
13KB

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ox1a3ekd\ox1a3ekd.cmdline
Filesize
327B

MD5
608c603ef53c96b5266ea9543533f231

SHA1
a79e6cb919d55bcb93b3e0f2bdd6ad39ecffe919

SHA256
7a6bbfb06d5f98ee0ed06989effb24fceb6eb85b1bbe3da5a4fea11208b066b6

SHA512
1d81bd7b4c2213dbe8230acb0c387d3dc28bffaf51f4938dbda48ebc4e340503325436aae8a0d77570e929ec5597409d6fcc1f08f8ddca0a0ce16587808d3cc2

Download Submit
memory/1312-134-0x0000000000000000-mapping.dmp

Download
memory/2388-130-0x00000214B6A40000-0x00000214B6A62000-memory.dmp

Filesize
136KB

Download
memory/2388-133-0x00000214D1AD0000-0x00000214D1FF8000-memory.dmp

Filesize
5.2MB

Download
memory/2388-132-0x00000214D1520000-0x00000214D1596000-memory.dmp

Filesize
472KB

Download
memory/2388-131-0x00007FF8A2C90000-0x00007FF8A3751000-memory.dmp

Filesize
10.8MB

Download
memory/2388-143-0x00007FF8A2C90000-0x00007FF8A3751000-memory.dmp

Filesize
10.8MB

Download
memory/2732-141-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2732-142-0x000000000040501E-mapping.dmp

Download
memory/2732-144-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/4556-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads