Overview
overview
10Static
static
10pidor-main...er.exe
windows7-x64
10pidor-main...er.exe
windows10-2004-x64
10pidor-main/Client.exe
windows7-x64
10pidor-main/Client.exe
windows10-2004-x64
10pidor-main/LC.exe
windows7-x64
10pidor-main/LC.exe
windows10-2004-x64
10pidor-main/README.md
windows7-x64
3pidor-main/README.md
windows10-2004-x64
3pidor-main...lc.exe
windows7-x64
10pidor-main...lc.exe
windows10-2004-x64
10General
-
Target
0fb62cc606d4f89e154b921f67031b87ce6becc39392c21aa90fc495386a39ab.zip
-
Size
7.3MB
-
Sample
240128-3ezpyscgb6
-
MD5
20f619f6bd928caa412624a16ad650a0
-
SHA1
d1b133b6a80e9a486b2c31c6fbea3ca28b423a55
-
SHA256
93bdb4995804bcb4009f4c255c10896c1b97554efdfcd8e5d5fb50adfa5e3084
-
SHA512
b26199359852b7dabd6175d57abdafe7f949baa05887276201a8f573ab546888b1cec945d70f5bc8f0e67360a0e272956fb1115a2a381620a9e0cbdd8379fa1c
-
SSDEEP
196608:x/EVs8Z6RCbqxD23GislnQrAuFS8jjr6G6b8WpR3X:x8V7ZcCboS3GiI4LrrubX
Behavioral task
behavioral1
Sample
pidor-main/Cinoshi-miner.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
pidor-main/Cinoshi-miner.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
pidor-main/Client.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
pidor-main/Client.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral5
Sample
pidor-main/LC.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
pidor-main/LC.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
pidor-main/README.md
Resource
win7-20231215-en
Behavioral task
behavioral8
Sample
pidor-main/README.md
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
pidor-main/crypted_lc.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
pidor-main/crypted_lc.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
revengerat
Guest
127.0.0.1:333
127.0.0.1:37734
127.0.0.1:17850
songs-travel.at.ply.gg:333
songs-travel.at.ply.gg:37734
songs-travel.at.ply.gg:17850
tcp://2.tcp.eu.ngrok.io:333
tcp://2.tcp.eu.ngrok.io:37734
tcp://2.tcp.eu.ngrok.io:17850
2.tcp.eu.ngrok.io:333
2.tcp.eu.ngrok.io:37734
2.tcp.eu.ngrok.io:17850
Updater
Targets
-
-
Target
pidor-main/Cinoshi-miner.exe
-
Size
10.0MB
-
MD5
55a67a394a3cd0e0ac55fd1a3c038704
-
SHA1
b7003927a64c5453606a2e8b7cb7db0eb7380bf9
-
SHA256
c563ce3119632b1881b0120b93cb559081b30434b927125783b090d79cd4fed2
-
SHA512
c18c1b32437061d1cc792303a9ee1a0d73ed66df90898045f9cf6e9b71ced946cc8272f87666173f4b6a74d8d36fb0b30e0a277cbc8ee4c257dfa9b844a4f604
-
SSDEEP
98304:hNfDLTdEbCMoGa9uzD1+e1O4juoYGM69RF5o9/ZFA0hkrjED0bA1uyXtYABmjhFm:hdDLTWnEQOM6GB9L5o9wrPmLwFF2DH
Score10/10-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Sets service image path in registry
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
pidor-main/Client.exe
-
Size
108KB
-
MD5
c1eda769243285a5ab239dcc706cbe6f
-
SHA1
179761a6211206229a400cc7a8872ca9d01f1e0f
-
SHA256
f878f5b461d0c7ce92a6ce26329f735170f38d3f64b7fc5e26a7194a74b7900c
-
SHA512
c496cffb09f3a1a2f25a9e6d2ea6cc84a51e5b8d275d6cf1952dcf364ff0b3cfd4f9de461bfa5c7c06668933c7d984d0be9a1b6e93b421b442b0758613511b56
-
SSDEEP
1536:LdLCk/ZKot6wFtQ3S686nBGcU0eLLS70q0E12jhKhmnW3iDBq+QD3tSYEz:9zgKFa3QEkcnTYNE1qhKhCDU9SYo
Score10/10-
RevengeRat Executable
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
pidor-main/LC.exe
-
Size
147KB
-
MD5
26235fadd208c44f23c046d515ea295d
-
SHA1
3e22368629014f572e61a30849b12dbf972a1b0b
-
SHA256
b63fedc06d9e500f1a8e0da5abb8a9e191ae67a6018698bfcf453b96f519aad7
-
SHA512
580d45433b7d5fb6548df287d7eb3ca91d0270de6fc4147ee0e897047cade5bd31c0f31ade27647531be82bdeeebf8fc4932e35c58c52840ac6c846693565f5c
-
SSDEEP
3072:3Tj8lJVPR6yB4jPZXdHtpyBI8Qx5V1RVl79ufxY:33yrGpd758O55Vl7F
Score10/10-
Modifies WinLogon for persistence
-
Drops startup file
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-
-
-
Target
pidor-main/README.md
-
Size
8B
-
MD5
bc5a405a2731f3c43f33f64c7fa9caee
-
SHA1
6d866571030bf018c3885c801ce8ae31d0c6abbc
-
SHA256
c6ad7d0f4941020fafb862dcb20487ecca3fd40bbab28dc103e12ed1c0fb01f3
-
SHA512
c7af66dd4b857f451265a03380938507ba99b14cfb1fb901c3de2a375624312ebab024e90b5783c634140665ab0f3bf3d74663ddbe5dad252a5d8c870902f5d2
Score3/10 -
-
-
Target
pidor-main/crypted_lc.exe
-
Size
413KB
-
MD5
7d2e82ce8e0ed785eb551ecf7108b6a3
-
SHA1
3b69ab0a613a0073a605b305db24cbd18d0bb9b4
-
SHA256
a9eb8a0e95a43778201115c0ae9eae51740998b6d2d599d945197d62368a04e4
-
SHA512
559c70874f4a97f6d57fb8f48d800cec382acfae293f66d4aedd9d3fd65499245edd2690dca24a9e5672ce272f90640baa305d5b28f2289d197d91b428cfa210
-
SSDEEP
6144:bLwJAhrFxx1y4yJK9+uBxiE3w8qEgV2zi2kJ7X15IfYJnZh3rTyRW:bNhrl1poK9+qcKtXM5IfYhvyRW
Score10/10-
Modifies WinLogon for persistence
-
Adds Run key to start application
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
4Winlogon Helper DLL
2Scheduled Task/Job
2Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
6Registry Run Keys / Startup Folder
4Winlogon Helper DLL
2Scheduled Task/Job
2Defense Evasion
Modify Registry
7Impair Defenses
1Scripting
1Hide Artifacts
1Hidden Files and Directories
1