General

  • Target

    393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe

  • Size

    419KB

  • Sample

    221023-dtsgragbhm

  • MD5

    36199d74da34290f87be389bb6bb9515

  • SHA1

    7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

  • SHA256

    393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

  • SHA512

    7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

  • SSDEEP

    12288:p051XAB4MzIbYyOrCKuBBPcn/txkAWQEho:p+1XAB4wIbfJlcn1xkjh

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

alice2019.myftp.biz:7575

Mutex

a4765021d3

Targets

    • Target

      393B10AAC7F59B3D7A146C654A24777D4B48648C3D8B8.exe

    • Size

      419KB

    • MD5

      36199d74da34290f87be389bb6bb9515

    • SHA1

      7d997bf1fc79f9d9cb1a5c47b721a7f1e310a4ff

    • SHA256

      393b10aac7f59b3d7a146c654a24777d4b48648c3d8b842754de1ba58b1d5490

    • SHA512

      7b7dcb98e36fed88e22435832a8dc604845a463ed82058c1cdbe060839f9926d772cc219890a5f55ef2cbf42cc2037f6404840f0124fbdf27e6820e5ec6b272f

    • SSDEEP

      12288:p051XAB4MzIbYyOrCKuBBPcn/txkAWQEho:p+1XAB4wIbfJlcn1xkjh

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Windows security bypass

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

3
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks