Overview

overview

10

Static

static

10

pidor-main...er.exe

windows7-x64

10

pidor-main...er.exe

windows10-2004-x64

10

pidor-main/Client.exe

windows7-x64

10

pidor-main/Client.exe

windows10-2004-x64

10

pidor-main/LC.exe

windows7-x64

10

pidor-main/LC.exe

windows10-2004-x64

10

pidor-main/README.md

windows7-x64

3

pidor-main/README.md

windows10-2004-x64

3

pidor-main...lc.exe

windows7-x64

10

pidor-main...lc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0fb62cc606d4f89e154b921f67031b87ce6becc39392c21aa90fc495386a39ab.zip

  • Size

    7.3MB

  • Sample

    240128-3ezpyscgb6

  • MD5

    20f619f6bd928caa412624a16ad650a0

  • SHA1

    d1b133b6a80e9a486b2c31c6fbea3ca28b423a55

  • SHA256

    93bdb4995804bcb4009f4c255c10896c1b97554efdfcd8e5d5fb50adfa5e3084

  • SHA512

    b26199359852b7dabd6175d57abdafe7f949baa05887276201a8f573ab546888b1cec945d70f5bc8f0e67360a0e272956fb1115a2a381620a9e0cbdd8379fa1c

  • SSDEEP

    196608:x/EVs8Z6RCbqxD23GislnQrAuFS8jjr6G6b8WpR3X:x8V7ZcCboS3GiI4LrrubX

Score
10/10
revengeratguestevasionpersistencestealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

127.0.0.1:333

127.0.0.1:37734

127.0.0.1:17850

songs-travel.at.ply.gg:333

songs-travel.at.ply.gg:37734

songs-travel.at.ply.gg:17850

tcp://2.tcp.eu.ngrok.io:333

tcp://2.tcp.eu.ngrok.io:37734

tcp://2.tcp.eu.ngrok.io:17850

2.tcp.eu.ngrok.io:333

2.tcp.eu.ngrok.io:37734

2.tcp.eu.ngrok.io:17850
Mutex

Updater

Targets

    • Target

      pidor-main/Cinoshi-miner.exe

    • Size

      10.0MB

    • MD5

      55a67a394a3cd0e0ac55fd1a3c038704

    • SHA1

      b7003927a64c5453606a2e8b7cb7db0eb7380bf9

    • SHA256

      c563ce3119632b1881b0120b93cb559081b30434b927125783b090d79cd4fed2

    • SHA512

      c18c1b32437061d1cc792303a9ee1a0d73ed66df90898045f9cf6e9b71ced946cc8272f87666173f4b6a74d8d36fb0b30e0a277cbc8ee4c257dfa9b844a4f604

    • SSDEEP

      98304:hNfDLTdEbCMoGa9uzD1+e1O4juoYGM69RF5o9/ZFA0hkrjED0bA1uyXtYABmjhFm:hdDLTWnEQOM6GB9L5o9wrPmLwFF2DH

    Score
    10/10
    evasionpersistence

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      pidor-main/Client.exe

    • Size

      108KB

    • MD5

      c1eda769243285a5ab239dcc706cbe6f

    • SHA1

      179761a6211206229a400cc7a8872ca9d01f1e0f

    • SHA256

      f878f5b461d0c7ce92a6ce26329f735170f38d3f64b7fc5e26a7194a74b7900c

    • SHA512

      c496cffb09f3a1a2f25a9e6d2ea6cc84a51e5b8d275d6cf1952dcf364ff0b3cfd4f9de461bfa5c7c06668933c7d984d0be9a1b6e93b421b442b0758613511b56

    • SSDEEP

      1536:LdLCk/ZKot6wFtQ3S686nBGcU0eLLS70q0E12jhKhmnW3iDBq+QD3tSYEz:9zgKFa3QEkcnTYNE1qhKhCDU9SYo

    Score
    10/10
    revengeratguestpersistencestealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      pidor-main/LC.exe

    • Size

      147KB

    • MD5

      26235fadd208c44f23c046d515ea295d

    • SHA1

      3e22368629014f572e61a30849b12dbf972a1b0b

    • SHA256

      b63fedc06d9e500f1a8e0da5abb8a9e191ae67a6018698bfcf453b96f519aad7

    • SHA512

      580d45433b7d5fb6548df287d7eb3ca91d0270de6fc4147ee0e897047cade5bd31c0f31ade27647531be82bdeeebf8fc4932e35c58c52840ac6c846693565f5c

    • SSDEEP

      3072:3Tj8lJVPR6yB4jPZXdHtpyBI8Qx5V1RVl79ufxY:33yrGpd758O55Vl7F

    Score
    10/10
    persistence

    • Modifies WinLogon for persistence

      persistence

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      pidor-main/README.md

    • Size

      8B

    • MD5

      bc5a405a2731f3c43f33f64c7fa9caee

    • SHA1

      6d866571030bf018c3885c801ce8ae31d0c6abbc

    • SHA256

      c6ad7d0f4941020fafb862dcb20487ecca3fd40bbab28dc103e12ed1c0fb01f3

    • SHA512

      c7af66dd4b857f451265a03380938507ba99b14cfb1fb901c3de2a375624312ebab024e90b5783c634140665ab0f3bf3d74663ddbe5dad252a5d8c870902f5d2

    Score
    3/10
    behavioral7behavioral8

    • Target

      pidor-main/crypted_lc.exe

    • Size

      413KB

    • MD5

      7d2e82ce8e0ed785eb551ecf7108b6a3

    • SHA1

      3b69ab0a613a0073a605b305db24cbd18d0bb9b4

    • SHA256

      a9eb8a0e95a43778201115c0ae9eae51740998b6d2d599d945197d62368a04e4

    • SHA512

      559c70874f4a97f6d57fb8f48d800cec382acfae293f66d4aedd9d3fd65499245edd2690dca24a9e5672ce272f90640baa305d5b28f2289d197d91b428cfa210

    • SSDEEP

      6144:bLwJAhrFxx1y4yJK9+uBxiE3w8qEgV2zi2kJ7X15IfYJnZh3rTyRW:bNhrl1poK9+qcKtXM5IfYhvyRW

    Score
    10/10
    persistence
    behavioral10behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

2
T1053

Scripting

1
T1064

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

6
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Winlogon Helper DLL

2
T1547.004

Scheduled Task/Job

2
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

6
T1547

Registry Run Keys / Startup Folder

4
T1547.001

Winlogon Helper DLL

2
T1547.004

Scheduled Task/Job

2
T1053

Defense Evasion

Modify Registry

7
T1112

Impair Defenses

1
T1562

Scripting

1
T1064

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks