revengerat | d692617c7a65d2ba50d882b02dffaf94fd10ed3a7ba31ff8a075a43d67034387 | Triage

Submit
Reports

Overview

overview

Static

static

1

Reserva Cancelar.ppam

windows7-x64

Reserva Cancelar.ppam

windows10-2004-x64

Sharing

General

Target

Reserva Cancelar.ppam
Size

8KB
Sample

231205-h2nkzshf71
MD5

f7d4d5e2956183dce4ba10720c701152
SHA1

03b9e2cc094459a6df2fed97f5883b83e982fdf6
SHA256

d692617c7a65d2ba50d882b02dffaf94fd10ed3a7ba31ff8a075a43d67034387
SHA512

b27699a17f1bcba03bd06c695212e186b433b0178eb0b039660a8c8358315c00c6309a9f77953608d6f48f0105d80b96a7e69e98681969864098750eb3731fd4
SSDEEP

192:xrXP/cgesPouvhbzvPKPCyDwlLMYOHqvro3h:dXPne8ouvNPKPC2HqsR

Score

10^/10

revengerat nyancatrevenge persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

Reserva Cancelar.ppam

Resource

win7-20231130-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

Reserva Cancelar.ppam

Resource

win10v2004-20231127-en

revengerat nyancatrevenge persistence trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

marcelotatuape.ddns.net:333

Mutex

da4b271c7cfc4bb

Targets

- Target
  
  Reserva Cancelar.ppam
- Size
  
  8KB
- MD5
  
  f7d4d5e2956183dce4ba10720c701152
- SHA1
  
  03b9e2cc094459a6df2fed97f5883b83e982fdf6
- SHA256
  
  d692617c7a65d2ba50d882b02dffaf94fd10ed3a7ba31ff8a075a43d67034387
- SHA512
  
  b27699a17f1bcba03bd06c695212e186b433b0178eb0b039660a8c8358315c00c6309a9f77953608d6f48f0105d80b96a7e69e98681969864098750eb3731fd4
- SSDEEP
  
  192:xrXP/cgesPouvhbzvPKPCyDwlLMYOHqvro3h:dXPne8ouvNPKPC2HqsR
Score

10^/10

revengerat nyancatrevenge persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

revengeratnyancatrevengepersistencetrojan

© 2018-2024

Terms | Privacy