Overview

overview

10

Static

static

1

Reserva Ad...s.ppam

windows7-x64

10

Reserva Ad...s.ppam

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Reserva Advogados Associados.ppam

  • Size

    9KB

  • Sample

    231210-t1yv4shea3

  • MD5

    e76c8251c1c8e7bb5be87af6de62e90a

  • SHA1

    02b22cc9a7a930cbffd2043b919d631588223f0a

  • SHA256

    7cf01c820b438ecf19e2e39b7c34d938538f371ab63b9092ad97f80070c5395e

  • SHA512

    1d7127075081f403f86e4599873bf133b97da9e4d4ebbc372e137dab406d37713d82db6c8c1be8d48ceee9e39e27fc7c55066bdea0036cfcccdce3813a566d00

  • SSDEEP

    192:xrXP/GaHykrQKPo8n80LMThXgX35Gy+bbIWX1PmY+FzQc2WVE:dXPpykrRg+rM9YUtbkWX18Wc2Wu

Score
10/10
revengeratnyancatrevengepersistencetrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

marcelotatuape.ddns.net:333

Mutex

3b9ee4d4e0f34d7

Targets

    • Target

      Reserva Advogados Associados.ppam

    • Size

      9KB

    • MD5

      e76c8251c1c8e7bb5be87af6de62e90a

    • SHA1

      02b22cc9a7a930cbffd2043b919d631588223f0a

    • SHA256

      7cf01c820b438ecf19e2e39b7c34d938538f371ab63b9092ad97f80070c5395e

    • SHA512

      1d7127075081f403f86e4599873bf133b97da9e4d4ebbc372e137dab406d37713d82db6c8c1be8d48ceee9e39e27fc7c55066bdea0036cfcccdce3813a566d00

    • SSDEEP

      192:xrXP/GaHykrQKPo8n80LMThXgX35Gy+bbIWX1PmY+FzQc2WVE:dXPpykrRg+rM9YUtbkWX18Wc2Wu

    Score
    10/10
    revengeratnyancatrevengepersistencetrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks