Overview

overview

10

Static

static

3

Antidetect...JC.exe

windows7-x64

10

Antidetect...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2023 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AntidetectPatreonPremiumEdition2022_JC.exe

  • Size

    84.3MB

  • MD5

    b4bceed650b2162007040ce71b3a94a6

  • SHA1

    810bd44e0f3d3efdf1ec7923c54d5a86ecb5799a

  • SHA256

    316e21b3e68b522fc33f29723770f031ca472f39c6b192f3e4534b5198652372

  • SHA512

    3355173305b03120b4db20c92765c4c84db0ff75d0305e7a1192cea6a4c0ab64fbe9838c2c3185458eb5aed967347276b2d78cba0c55753694a21b9b04aa480c

  • SSDEEP

    1572864:O96ytL1hdHOZJGF2qDdNy00uNhM/IiafGhoZyV4CSS17IAs7lZJbKpg4:ODBpOSFZRNy+NhM/2ZkP7RalZJ+pg

Score
10/10
revengeratnyan-catpersistencestealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

NYAN-CAT

C2

blog.capeturk.com:1111

Mutex

RV_MUTEX-FZMONFueOciq

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2752
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:2820
    • C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
      "C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1640
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
    Filesize

    83.8MB

    MD5

    fc409978e611a143502044848f8d470f

    SHA1

    dae419b77c277fe1fba610c2da94586dcef16701

    SHA256

    bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70

    SHA512

    e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
    Filesize

    83.8MB

    MD5

    fc409978e611a143502044848f8d470f

    SHA1

    dae419b77c277fe1fba610c2da94586dcef16701

    SHA256

    bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70

    SHA512

    e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CabDF59.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    420KB

    MD5

    ada0cbc54989b2cd2959601c7a5b8499

    SHA1

    9c8739d476016fe0a87b176bb95f3a5bcbeff0de

    SHA256

    a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

    SHA512

    f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    420KB

    MD5

    ada0cbc54989b2cd2959601c7a5b8499

    SHA1

    9c8739d476016fe0a87b176bb95f3a5bcbeff0de

    SHA256

    a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

    SHA512

    f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    420KB

    MD5

    ada0cbc54989b2cd2959601c7a5b8499

    SHA1

    9c8739d476016fe0a87b176bb95f3a5bcbeff0de

    SHA256

    a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

    SHA512

    f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    420KB

    MD5

    ada0cbc54989b2cd2959601c7a5b8499

    SHA1

    9c8739d476016fe0a87b176bb95f3a5bcbeff0de

    SHA256

    a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

    SHA512

    f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TarEBDA.tmp
    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\VirtualBox\VirtualBox-6.1.28-r147628.msi
    Filesize

    82.6MB

    MD5

    577825097157487c7afd2c591ee413bb

    SHA1

    6b4c3f8b88edb5925b05338fd1e9b1f3e5c665db

    SHA256

    3ccd35abf2dcfff22ad6d3ffda5cf79f3fdc4fac4244caf6ac4bde72f05b402d

    SHA512

    5d2f72b490e06bc0f69cdf0528fe43332b7420f92f21f573c9fe890b00b6ae002ef21566e1ba1be27ee61aa2e85535102c8b12661e4f101143e62a7c4a5748e8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    73KB

    MD5

    8e3d99e6a1064f89744ccb24dc6802bb

    SHA1

    1b6c31ab4236538c8423c19575c1e19a031b3876

    SHA256

    d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8

    SHA512

    f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    73KB

    MD5

    8e3d99e6a1064f89744ccb24dc6802bb

    SHA1

    1b6c31ab4236538c8423c19575c1e19a031b3876

    SHA256

    d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8

    SHA512

    f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    73KB

    MD5

    8e3d99e6a1064f89744ccb24dc6802bb

    SHA1

    1b6c31ab4236538c8423c19575c1e19a031b3876

    SHA256

    d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8

    SHA512

    f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    293KB

    MD5

    1303779b354738a8c93cc522ffb21f11

    SHA1

    ce29a26e1363ddfdc830e2934fed935f15032187

    SHA256

    0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5

    SHA512

    b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    293KB

    MD5

    1303779b354738a8c93cc522ffb21f11

    SHA1

    ce29a26e1363ddfdc830e2934fed935f15032187

    SHA256

    0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5

    SHA512

    b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    293KB

    MD5

    1303779b354738a8c93cc522ffb21f11

    SHA1

    ce29a26e1363ddfdc830e2934fed935f15032187

    SHA256

    0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5

    SHA512

    b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip
    Filesize

    255KB

    MD5

    938670594dc5d2fcb3e7782425780da3

    SHA1

    afedf59a98374c265190f1d49707dbadf608cdaf

    SHA256

    04275bd861b03845f7292d59cc3e676c4fccb9df355d106c085cf6bff763a456

    SHA512

    75e2c40d33116242ba600c8ad875f6a6910ad09ba9c8977e4b97e28600b69709d02f1e0153f73cc50ad73607c819dbb29287910119af1152e0e20ccd9668d85e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip
    Filesize

    255KB

    MD5

    938670594dc5d2fcb3e7782425780da3

    SHA1

    afedf59a98374c265190f1d49707dbadf608cdaf

    SHA256

    04275bd861b03845f7292d59cc3e676c4fccb9df355d106c085cf6bff763a456

    SHA512

    75e2c40d33116242ba600c8ad875f6a6910ad09ba9c8977e4b97e28600b69709d02f1e0153f73cc50ad73607c819dbb29287910119af1152e0e20ccd9668d85e

    Download Submit
  • memory/2268-34-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2268-10-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2268-11-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2268-13-0x00000000002C0000-0x000000000032E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/2268-16-0x00000000020E0000-0x0000000002108000-memory.dmp
    Filesize

    160KB

    Download
  • memory/2640-33-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2640-15-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2640-14-0x0000000002210000-0x0000000002290000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2704-50-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2704-68-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2704-71-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2704-53-0x00000000004F0000-0x00000000004FC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2704-49-0x0000000001FB0000-0x0000000002030000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2704-52-0x0000000000280000-0x0000000000288000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2704-67-0x0000000001FB0000-0x0000000002030000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2704-51-0x0000000000290000-0x00000000002A8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2752-81-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2752-32-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2752-28-0x00000000001F0000-0x00000000001F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2752-54-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2752-31-0x0000000002000000-0x0000000002080000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2752-30-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2752-27-0x0000000000300000-0x000000000034E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/2820-35-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2820-37-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2820-36-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2860-64-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2860-46-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2860-0-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2860-2-0x0000000000DE0000-0x0000000006228000-memory.dmp
    Filesize

    84.3MB

    Download
  • memory/2860-1-0x0000000000BA0000-0x0000000000C20000-memory.dmp
    Filesize

    512KB

    Download