revengerat | 326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf

Analysis

max time kernel
129s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
Size

4.0MB
MD5

633a7a8aedf8627097b29d0e707c59af
SHA1

f36662cce42d02ed690fbc8e71f4cefc17474200
SHA256

326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf
SHA512

17033c6eb42190020320cda1a092eb528186bfc1ba7ac4bce30300732b839de9371e843f67404d8e23c74fab95abc20365ade575b30daf3eede1f93b1b24a568
SSDEEP

98304:7trbTA1FZZAG/HW4A5vodMJ5thwVX9Gx5VeqC6BIN4ts7BUGI1jF:hc1Fzf/HxOQMthPgtCIBUGI1B

Score

10^/10

revengerat nyancatrevenge trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

marcelotatuape.ddns.net:333

Mutex

c12ead04c4f046028

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinRAR.exeCDS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WinRAR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	CDS.exe

Drops startup file 2 IoCs

Processes:

326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe

Executes dropped EXE 3 IoCs

Processes:

WinRAR.exeCDS.execrypted.exe

pid process

4508 WinRAR.exe
396 CDS.exe
3864 crypted.exe
Loads dropped DLL 1 IoCs

Processes:

CDS.exe

pid process

396 CDS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

CDS.exe

pid process

396 CDS.exe
396 CDS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 392 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 392 AUDIODG.EXE

pid	process
4508	WinRAR.exe
396	CDS.exe
3864	crypted.exe

pid	process
396	CDS.exe

pid	process
396	CDS.exe
396	CDS.exe

description	pid	process
Token: 33	392	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	392	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe

pid	process
2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe

pid	process
2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

CDS.exe

pid process

396 CDS.exe
396 CDS.exe

pid	process
396	CDS.exe
396	CDS.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exeWinRAR.exeCDS.exe

description	pid	process	target process
PID 2888 wrote to memory of 4508	2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe	WinRAR.exe
PID 2888 wrote to memory of 4508	2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe	WinRAR.exe
PID 2888 wrote to memory of 4508	2888	326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe	WinRAR.exe
PID 4508 wrote to memory of 396	4508	WinRAR.exe	CDS.exe
PID 4508 wrote to memory of 396	4508	WinRAR.exe	CDS.exe
PID 4508 wrote to memory of 396	4508	WinRAR.exe	CDS.exe
PID 396 wrote to memory of 3864	396	CDS.exe	crypted.exe
PID 396 wrote to memory of 3864	396	CDS.exe	crypted.exe
PID 396 wrote to memory of 3864	396	CDS.exe	crypted.exe

C:\Users\Admin\AppData\Local\Temp\326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe
"C:\Users\Admin\AppData\Local\Temp\326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf.exe"
1⤵
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\CDS.exe
"C:\Users\Admin\AppData\Local\Temp\CDS.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\crypted.exe"
4⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x340
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\630_10.png
Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDS.cdd
Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDS.exe
Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6798.tmp
Filesize
3.4MB

MD5
805e945f731b4b196cb1996a3eb76424

SHA1
2a42d824f8cdfad379548c1fdf3b629036bb21ae

SHA256
0fc458de6a050a2443650b50593020e072f8e123ab1c184ab0e0c3725fce6f3b

SHA512
8e4f3b30eb39955b7d21bfc371f35693e7b416c0431258a767149d9d4afceea53b1680d0cce1a5d9569cb8bb63316e2fe524da32a8d0a7171a49aade28fd246a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.dat
Filesize
14KB

MD5
24839167b1d44b437b7cb98c775a60d9

SHA1
b7d8e46ea9eb30549805dad1912956acc88a54fd

SHA256
05e57312161c9975959b551d55337147b2bc69254f12bfc6c77c4269e211f6c5

SHA512
a4b54050eb75f0a89019be0dc7359e0e7323649eae8a43335b63a45135d12ae5098b3203a8026231705930c5cccfc7299523eab334653e11548df0eccbf4055f

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe
Filesize
14KB

MD5
6d6ec32f46064bb3239ec07390d22985

SHA1
acd5beefdcf00d909d5323fed78f1a0372c613d1

SHA256
96be171b781695767effa3802cd02fec22e80b2c139ab0fedf6e551eea8ca879

SHA512
fbfbb9a321922abdc819ea374e45a53d01c3c364f9d79bb9fddbca2e9881374cd0ae1394989ed5bdaac2144a9264ef272e11f3a152ad2e9e3d7c27c9dcbaf76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe
Filesize
14KB

MD5
6d6ec32f46064bb3239ec07390d22985

SHA1
acd5beefdcf00d909d5323fed78f1a0372c613d1

SHA256
96be171b781695767effa3802cd02fec22e80b2c139ab0fedf6e551eea8ca879

SHA512
fbfbb9a321922abdc819ea374e45a53d01c3c364f9d79bb9fddbca2e9881374cd0ae1394989ed5bdaac2144a9264ef272e11f3a152ad2e9e3d7c27c9dcbaf76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe
Filesize
14KB

MD5
6d6ec32f46064bb3239ec07390d22985

SHA1
acd5beefdcf00d909d5323fed78f1a0372c613d1

SHA256
96be171b781695767effa3802cd02fec22e80b2c139ab0fedf6e551eea8ca879

SHA512
fbfbb9a321922abdc819ea374e45a53d01c3c364f9d79bb9fddbca2e9881374cd0ae1394989ed5bdaac2144a9264ef272e11f3a152ad2e9e3d7c27c9dcbaf76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fs.settings
Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\lua5.1.dll
Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
Filesize
3.4MB

MD5
805e945f731b4b196cb1996a3eb76424

SHA1
2a42d824f8cdfad379548c1fdf3b629036bb21ae

SHA256
0fc458de6a050a2443650b50593020e072f8e123ab1c184ab0e0c3725fce6f3b

SHA512
8e4f3b30eb39955b7d21bfc371f35693e7b416c0431258a767149d9d4afceea53b1680d0cce1a5d9569cb8bb63316e2fe524da32a8d0a7171a49aade28fd246a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinRAR.exe
Filesize
3.4MB

MD5
805e945f731b4b196cb1996a3eb76424

SHA1
2a42d824f8cdfad379548c1fdf3b629036bb21ae

SHA256
0fc458de6a050a2443650b50593020e072f8e123ab1c184ab0e0c3725fce6f3b

SHA512
8e4f3b30eb39955b7d21bfc371f35693e7b416c0431258a767149d9d4afceea53b1680d0cce1a5d9569cb8bb63316e2fe524da32a8d0a7171a49aade28fd246a

Download Submit
memory/3864-192-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/3864-193-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download