Overview

overview

10

Static

static

3

Antidetect...JC.exe

windows7-x64

10

Antidetect...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2023 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AntidetectPatreonPremiumEdition2022_JC.exe

  • Size

    84.3MB

  • MD5

    b4bceed650b2162007040ce71b3a94a6

  • SHA1

    810bd44e0f3d3efdf1ec7923c54d5a86ecb5799a

  • SHA256

    316e21b3e68b522fc33f29723770f031ca472f39c6b192f3e4534b5198652372

  • SHA512

    3355173305b03120b4db20c92765c4c84db0ff75d0305e7a1192cea6a4c0ab64fbe9838c2c3185458eb5aed967347276b2d78cba0c55753694a21b9b04aa480c

  • SSDEEP

    1572864:O96ytL1hdHOZJGF2qDdNy00uNhM/IiafGhoZyV4CSS17IAs7lZJbKpg4:ODBpOSFZRNy+NhM/2ZkP7RalZJ+pg

Score
10/10
revengeratnyan-catpersistencestealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

NYAN-CAT

C2

blog.capeturk.com:1111

Mutex

RV_MUTEX-FZMONFueOciq

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • RevengeRat Executable 1 IoCs
    stealer
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\AntidetectPatreonPremiumEdition2022_JC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:992
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          PID:2124
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
    • C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
      "C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4280
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log
    Filesize

    408B

    MD5

    70f08e6585ed9994d97a4c71472fccd8

    SHA1

    3f44494d4747c87fb8b94bb153c3a3d717f9fd63

    SHA256

    87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

    SHA512

    d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log
    Filesize

    588B

    MD5

    2f142977932b7837fa1cc70278e53361

    SHA1

    0a3212d221079671bfdeee176ad841e6f15904fc

    SHA256

    961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820

    SHA512

    a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
    Filesize

    83.8MB

    MD5

    fc409978e611a143502044848f8d470f

    SHA1

    dae419b77c277fe1fba610c2da94586dcef16701

    SHA256

    bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70

    SHA512

    e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
    Filesize

    83.8MB

    MD5

    fc409978e611a143502044848f8d470f

    SHA1

    dae419b77c277fe1fba610c2da94586dcef16701

    SHA256

    bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70

    SHA512

    e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Antidetect Patreon Premium Edition 2022 .exe
    Filesize

    83.8MB

    MD5

    fc409978e611a143502044848f8d470f

    SHA1

    dae419b77c277fe1fba610c2da94586dcef16701

    SHA256

    bb7c477ce05a95f3079fd90327c734fd120e1895437792c388d943dc26a20f70

    SHA512

    e49f7e9f7ba9de786ce52bba768c4ed38c8ef4c3ded3babadbdbe85635d349c46b61fcca3fe46a29b25c21efdda295279bcf6df42ffd9d019197bc669e263442

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    420KB

    MD5

    ada0cbc54989b2cd2959601c7a5b8499

    SHA1

    9c8739d476016fe0a87b176bb95f3a5bcbeff0de

    SHA256

    a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

    SHA512

    f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    420KB

    MD5

    ada0cbc54989b2cd2959601c7a5b8499

    SHA1

    9c8739d476016fe0a87b176bb95f3a5bcbeff0de

    SHA256

    a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

    SHA512

    f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    420KB

    MD5

    ada0cbc54989b2cd2959601c7a5b8499

    SHA1

    9c8739d476016fe0a87b176bb95f3a5bcbeff0de

    SHA256

    a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

    SHA512

    f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    420KB

    MD5

    ada0cbc54989b2cd2959601c7a5b8499

    SHA1

    9c8739d476016fe0a87b176bb95f3a5bcbeff0de

    SHA256

    a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

    SHA512

    f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\VirtualBox\VirtualBox-6.1.28-r147628.msi
    Filesize

    82.6MB

    MD5

    577825097157487c7afd2c591ee413bb

    SHA1

    6b4c3f8b88edb5925b05338fd1e9b1f3e5c665db

    SHA256

    3ccd35abf2dcfff22ad6d3ffda5cf79f3fdc4fac4244caf6ac4bde72f05b402d

    SHA512

    5d2f72b490e06bc0f69cdf0528fe43332b7420f92f21f573c9fe890b00b6ae002ef21566e1ba1be27ee61aa2e85535102c8b12661e4f101143e62a7c4a5748e8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    73KB

    MD5

    8e3d99e6a1064f89744ccb24dc6802bb

    SHA1

    1b6c31ab4236538c8423c19575c1e19a031b3876

    SHA256

    d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8

    SHA512

    f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    73KB

    MD5

    8e3d99e6a1064f89744ccb24dc6802bb

    SHA1

    1b6c31ab4236538c8423c19575c1e19a031b3876

    SHA256

    d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8

    SHA512

    f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    73KB

    MD5

    8e3d99e6a1064f89744ccb24dc6802bb

    SHA1

    1b6c31ab4236538c8423c19575c1e19a031b3876

    SHA256

    d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8

    SHA512

    f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    293KB

    MD5

    1303779b354738a8c93cc522ffb21f11

    SHA1

    ce29a26e1363ddfdc830e2934fed935f15032187

    SHA256

    0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5

    SHA512

    b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    293KB

    MD5

    1303779b354738a8c93cc522ffb21f11

    SHA1

    ce29a26e1363ddfdc830e2934fed935f15032187

    SHA256

    0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5

    SHA512

    b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    293KB

    MD5

    1303779b354738a8c93cc522ffb21f11

    SHA1

    ce29a26e1363ddfdc830e2934fed935f15032187

    SHA256

    0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5

    SHA512

    b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

    Download Submit
  • memory/888-51-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/888-27-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/888-28-0x00000000018E0000-0x00000000018F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/888-29-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/992-47-0x0000000000140000-0x000000000018E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/992-115-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/992-121-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/992-54-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/992-53-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2124-104-0x000000001B110000-0x000000001B11C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2124-106-0x000000001CEB0000-0x000000001CF12000-memory.dmp
    Filesize

    392KB

    Download
  • memory/2124-91-0x00000000003C0000-0x00000000003D8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2124-116-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2124-90-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2124-94-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2124-117-0x0000000000CE0000-0x0000000000CF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2124-92-0x0000000000CE0000-0x0000000000CF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2124-93-0x0000000000E80000-0x0000000000E88000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2632-67-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2632-56-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2632-49-0x0000000003180000-0x0000000003188000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2632-55-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4624-4-0x00000000206A0000-0x0000000020746000-memory.dmp
    Filesize

    664KB

    Download
  • memory/4624-50-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4624-3-0x00000000002C0000-0x0000000005708000-memory.dmp
    Filesize

    84.3MB

    Download
  • memory/4624-2-0x0000000005FE0000-0x0000000005FF0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4624-1-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4624-5-0x0000000020C20000-0x00000000210EE000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/4624-35-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4624-6-0x0000000021190000-0x000000002122C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4624-64-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4624-0-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4632-19-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4632-21-0x000000001BEC0000-0x000000001BEE8000-memory.dmp
    Filesize

    160KB

    Download
  • memory/4632-52-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/4632-20-0x0000000001910000-0x0000000001920000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4632-18-0x0000000000F20000-0x0000000000F8E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/4632-22-0x00007FFBB76E0000-0x00007FFBB8081000-memory.dmp
    Filesize

    9.6MB

    Download