revengerat | 2c1029c9d37fffe70cb817d24ba07e7c2c6bed1d38bebb7c3b11b55811503c9d | Triage

Submit
Reports

Overview

overview

Static

static

3

21b7a4cfbf...8e.exe

windows7-x64

21b7a4cfbf...8e.exe

windows10-2004-x64

Sharing

General

Target

21b7a4cfbf3b18c1702c051c724e0e8e
Size

2.1MB
Sample

231225-qqhvcscah7
MD5

21b7a4cfbf3b18c1702c051c724e0e8e
SHA1

0e3141161e06b3599e02bf71bcb4fd34abc4e71d
SHA256

2c1029c9d37fffe70cb817d24ba07e7c2c6bed1d38bebb7c3b11b55811503c9d
SHA512

520ee73c961844677e1f127336334be583449625233b2a63d9b5b58b9fa27fafaeb06263ccfe8434d23f2e23b8cd2143c19b1064e3d04eec97a16f7b37eef7ad
SSDEEP

49152:Q9ijgQO1PMDozYAPz2UNZJjN9IQEiXm1eCQTe:QRMDoMu28rnIQEiJbC

Score

10^/10

revengerat zgrat nyancatrevenge persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

21b7a4cfbf3b18c1702c051c724e0e8e.exe

Resource

win7-20231215-en

revengerat zgrat nyancatrevenge persistence rat trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

21b7a4cfbf3b18c1702c051c724e0e8e.exe

Resource

win10v2004-20231215-en

revengerat zgrat nyancatrevenge persistence rat trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

dontreachme.duckdns.org:3601

Mutex

159ffe7d99124a92baa

Targets

- Target
  
  21b7a4cfbf3b18c1702c051c724e0e8e
- Size
  
  2.1MB
- MD5
  
  21b7a4cfbf3b18c1702c051c724e0e8e
- SHA1
  
  0e3141161e06b3599e02bf71bcb4fd34abc4e71d
- SHA256
  
  2c1029c9d37fffe70cb817d24ba07e7c2c6bed1d38bebb7c3b11b55811503c9d
- SHA512
  
  520ee73c961844677e1f127336334be583449625233b2a63d9b5b58b9fa27fafaeb06263ccfe8434d23f2e23b8cd2143c19b1064e3d04eec97a16f7b37eef7ad
- SSDEEP
  
  49152:Q9ijgQO1PMDozYAPz2UNZJjN9IQEiXm1eCQTe:QRMDoMu28rnIQEiJbC
Score

10^/10

revengerat zgrat nyancatrevenge persistence rat trojan
- Detect ZGRat V1
- Modifies WinLogon for persistence
  persistence
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

revengeratzgratnyancatrevengepersistencerattrojan

behavioral2

revengeratzgratnyancatrevengepersistencerattrojan

© 2018-2024

Terms | Privacy