General
-
Target
ParadoxNumber.zip
-
Size
7.4MB
-
Sample
230429-nhe3dscg3v
-
MD5
d79d0a1399b86169211730ad21019b35
-
SHA1
5058b8cd247568fa3d10337c833f4c93999b68b3
-
SHA256
ab6a5303eb6b4c26939f55d82a8470c43ee1151bc81aed9804764fd435e9b7c1
-
SHA512
937997edda924628be0177e1e9325c345c86079ac404d3397a26fcaa60f5fef67d8a6bbcc56367a240d0cfaea4f813a7d95176d278d1a1bca7939cc6b7b9778d
-
SSDEEP
196608:tL5xZXzZse8FvNgUnn0MKcbsB9AqXTLymdsjD:tRX589NgU0lcbA9AqXTmm2H
Static task
static1
Behavioral task
behavioral1
Sample
ParadoxNumber.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
revengerat
NYAN-CAT
blog.capeturk.com:1111
RV_MUTEX-FZMONFueOciq
Targets
-
-
Target
ParadoxNumber.exe
-
Size
7.4MB
-
MD5
8447d37a913ab3638d1e4900392f2cf9
-
SHA1
5454e1d1833d0c7b39f48ba914ab77f0db5072de
-
SHA256
7302496e3ff3c304cb65f31fa72d49bcfa8fb492a0781e77a1d8b60d32c5fa8e
-
SHA512
7cc05eeb16bbee368cad4c38daa666598d7f92924401235c304cc70d0923f3d2cac6ec4c4666a9a8f065283cb58c044546f5f36ae2d74f58c22a8b5c3df09f27
-
SSDEEP
196608:K0ZMxlbj3QyshxT+aZRUaaoTC8gPXX44ju1Ii:K04bZsnT+aY1oTC8gPXI4ap
-
RevengeRat Executable
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-