revengerat | 2c1029c9d37fffe70cb817d24ba07e7c2c6bed1d38bebb7c3b11b55811503c9d

General

Target

21b7a4cfbf3b18c1702c051c724e0e8e.exe
Size

2.1MB
MD5

21b7a4cfbf3b18c1702c051c724e0e8e
SHA1

0e3141161e06b3599e02bf71bcb4fd34abc4e71d
SHA256

2c1029c9d37fffe70cb817d24ba07e7c2c6bed1d38bebb7c3b11b55811503c9d
SHA512

520ee73c961844677e1f127336334be583449625233b2a63d9b5b58b9fa27fafaeb06263ccfe8434d23f2e23b8cd2143c19b1064e3d04eec97a16f7b37eef7ad
SSDEEP

49152:Q9ijgQO1PMDozYAPz2UNZJjN9IQEiXm1eCQTe:QRMDoMu28rnIQEiJbC

Score

10^/10

revengerat zgrat nyancatrevenge persistence rat trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

dontreachme.duckdns.org:3601

Mutex

159ffe7d99124a92baa

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2796-18-0x0000000004F50000-0x0000000004FCE000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-19-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-20-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-22-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-24-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-26-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-28-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-30-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-32-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-34-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-36-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-38-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-48-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-58-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-70-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-76-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-78-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-74-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-82-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-80-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-72-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-68-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-66-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-64-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-62-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-60-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-56-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-54-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-52-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-50-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-46-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-44-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-42-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2796-40-0x0000000004F50000-0x0000000004FC8000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Installer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\JavaUpdate\\JavaUpdate.exe\","	Installer.exe

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 2 IoCs

Processes:

Installer.exeInstaller.exe

pid process

2796 Installer.exe
2336 Installer.exe
Loads dropped DLL 1 IoCs

Processes:

Installer.exe

pid process

2796 Installer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Installer.exe

description pid process target process

PID 2796 set thread context of 2336 2796 Installer.exe Installer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Installer.exepowershell.exe

pid process

2796 Installer.exe
1264 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Installer.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2796 Installer.exe
Token: SeDebugPrivilege 1264 powershell.exe

pid	process
2796	Installer.exe
2336	Installer.exe

pid	process
2796	Installer.exe

description	pid	process	target process
PID 2796 set thread context of 2336	2796	Installer.exe	Installer.exe

pid	process
2796	Installer.exe
1264	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2796	Installer.exe
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

21b7a4cfbf3b18c1702c051c724e0e8e.exeInstaller.exeWScript.exe

description	pid	process	target process
PID 1136 wrote to memory of 2796	1136	21b7a4cfbf3b18c1702c051c724e0e8e.exe	Installer.exe
PID 1136 wrote to memory of 2796	1136	21b7a4cfbf3b18c1702c051c724e0e8e.exe	Installer.exe
PID 1136 wrote to memory of 2796	1136	21b7a4cfbf3b18c1702c051c724e0e8e.exe	Installer.exe
PID 1136 wrote to memory of 2796	1136	21b7a4cfbf3b18c1702c051c724e0e8e.exe	Installer.exe
PID 1136 wrote to memory of 2796	1136	21b7a4cfbf3b18c1702c051c724e0e8e.exe	Installer.exe
PID 1136 wrote to memory of 2796	1136	21b7a4cfbf3b18c1702c051c724e0e8e.exe	Installer.exe
PID 1136 wrote to memory of 2796	1136	21b7a4cfbf3b18c1702c051c724e0e8e.exe	Installer.exe
PID 2796 wrote to memory of 1884	2796	Installer.exe	WScript.exe
PID 2796 wrote to memory of 1884	2796	Installer.exe	WScript.exe
PID 2796 wrote to memory of 1884	2796	Installer.exe	WScript.exe
PID 2796 wrote to memory of 1884	2796	Installer.exe	WScript.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 2796 wrote to memory of 2336	2796	Installer.exe	Installer.exe
PID 1884 wrote to memory of 1264	1884	WScript.exe	powershell.exe
PID 1884 wrote to memory of 1264	1884	WScript.exe	powershell.exe
PID 1884 wrote to memory of 1264	1884	WScript.exe	powershell.exe
PID 1884 wrote to memory of 1264	1884	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\21b7a4cfbf3b18c1702c051c724e0e8e.exe
"C:\Users\Admin\AppData\Local\Temp\21b7a4cfbf3b18c1702c051c724e0e8e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Tonofbfnuxml.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe
3⤵
- Executes dropped EXE
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe
Filesize
1.1MB

MD5
5b174199e0a570d9b352f9170e47ceda

SHA1
d8c4e8477bfd4588f407abbea2365d22d7c1c8fc

SHA256
dea64b3d68e332bac36135e37457c6f634d6b0b8a9231ebb69a3408a0b63cead

SHA512
32a2146f07d3d32fb3e020fa5fe819c5ce01de6094752aaeff3e8e931850662c9869a36706e0884c41aeada65cccaaf3ed5af0b27e135f48c5486e95f61209b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe
Filesize
93KB

MD5
23b20f742f32fb2fd3974bab8e99fd10

SHA1
75caf0b8fa652f95a05fc7b2f5d4980485b7ff8e

SHA256
0079cdacfcceb72d664b71203b4795a72b72e32606a973661b9a4c76692c3d33

SHA512
dbb2a3e373b59be2740d99a5b858234d6e0bf844cb1a5417095d4563541ea2d4d0b43e1e45fcf4066ddefcfcba7d9d78ebfb0fe81003c74880266c9743801e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Tonofbfnuxml.vbs
Filesize
149B

MD5
75fda8189e60e05655aea55fe68591c0

SHA1
de2177e12403c59f81d278497a387089ddd10d73

SHA256
cf8322af201e7b0f5d5b2b93c0df541c8785436ebdf04a32addc46b13caf81c5

SHA512
1bc581cbe6ba2f7f9a419bdb9b582ec5585d5cdfd8e245cab19c269d2bd4ecbc151cd98996b8d5f330304fda243c4a13388f1c601111dbab59fd0ad35e5ea647

Download Submit
memory/1136-0-0x0000000000D20000-0x0000000000F42000-memory.dmp

Filesize
2.1MB

Download
memory/1136-1-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/1136-9-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/1264-2399-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1264-2400-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1264-2397-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/1264-2398-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1264-2396-0x0000000074340000-0x00000000748EB000-memory.dmp

Filesize
5.7MB

Download
memory/2336-2402-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2336-2401-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-2393-0x0000000073930000-0x000000007401E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-2392-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2796-48-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-68-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-20-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-22-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-24-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-26-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-28-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-30-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-32-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-34-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-36-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-38-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-18-0x0000000004F50000-0x0000000004FCE000-memory.dmp

Filesize
504KB

Download
memory/2796-58-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-70-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-76-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-78-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-74-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-82-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-80-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-72-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-19-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-66-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-64-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-62-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-60-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-56-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-54-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-52-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-50-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-46-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-44-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-42-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-40-0x0000000004F50000-0x0000000004FC8000-memory.dmp

Filesize
480KB

Download
memory/2796-17-0x00000000006E0000-0x000000000072A000-memory.dmp

Filesize
296KB

Download
memory/2796-16-0x0000000000F00000-0x0000000000F40000-memory.dmp

Filesize
256KB

Download
memory/2796-15-0x0000000000F00000-0x0000000000F40000-memory.dmp

Filesize
256KB

Download
memory/2796-14-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-13-0x0000000000F00000-0x0000000000F40000-memory.dmp

Filesize
256KB

Download
memory/2796-12-0x0000000000F00000-0x0000000000F40000-memory.dmp

Filesize
256KB

Download
memory/2796-11-0x00000000012E0000-0x00000000013F8000-memory.dmp

Filesize
1.1MB

Download
memory/2796-10-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2796-2391-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads