revengerat | 8a62013424695bf95dea19f504de1636f2093be8b27c3f314b2daf617b00ec1d

General

Target

8370e6258d17dbbf8e9f4f3dced934ab.exe
Size

465KB
MD5

8370e6258d17dbbf8e9f4f3dced934ab
SHA1

0a276283e3784d2d5443deee623fc1ed29ae21d4
SHA256

8a62013424695bf95dea19f504de1636f2093be8b27c3f314b2daf617b00ec1d
SHA512

46b70138cc34405df1a4f716064e137ba7b1f69f178de9a1988e63734fe21d066c4f3a4818676ca7e8df720086446db94b59c5fd0bacfb07cc8c72b635f2b014
SSDEEP

6144:GhzpyQ/Hr2KeDYdk495R+2rbjUR0oXFL9P2XYtJkWDGDS9Jo4IZNW8u2wND8:GdF/HRly4rnrbCLMXYXDGAJoT2T/I

Score

10^/10

revengerat zgrat nyancatrevenge persistence rat trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

dontreachme.duckdns.org:3602

Mutex

774d753e6b8d42

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2628-4-0x00000000082E0000-0x000000000835A000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-5-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-6-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-10-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-8-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-12-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-42-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-40-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-38-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-36-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-50-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-48-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-46-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-44-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-68-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-66-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-64-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-62-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-60-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-58-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-56-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-54-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-52-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-34-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-32-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-30-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-28-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-26-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-24-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-22-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-20-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-18-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-16-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-14-0x00000000082E0000-0x0000000008353000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

8370e6258d17dbbf8e9f4f3dced934ab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\JavaUpdate\\JavaUpdate.exe\","	8370e6258d17dbbf8e9f4f3dced934ab.exe

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

InstallUtil.exe

pid process

1784 InstallUtil.exe
Loads dropped DLL 1 IoCs

Processes:

8370e6258d17dbbf8e9f4f3dced934ab.exe

pid process

2628 8370e6258d17dbbf8e9f4f3dced934ab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

8370e6258d17dbbf8e9f4f3dced934ab.exe

description pid process target process

PID 2628 set thread context of 1784 2628 8370e6258d17dbbf8e9f4f3dced934ab.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

8370e6258d17dbbf8e9f4f3dced934ab.exepowershell.exe

pid process

2628 8370e6258d17dbbf8e9f4f3dced934ab.exe
2628 8370e6258d17dbbf8e9f4f3dced934ab.exe
1668 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8370e6258d17dbbf8e9f4f3dced934ab.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2628 8370e6258d17dbbf8e9f4f3dced934ab.exe
Token: SeDebugPrivilege 1668 powershell.exe

pid	process
1784	InstallUtil.exe

pid	process
2628	8370e6258d17dbbf8e9f4f3dced934ab.exe

description	pid	process	target process
PID 2628 set thread context of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe

pid	process
2628	8370e6258d17dbbf8e9f4f3dced934ab.exe
2628	8370e6258d17dbbf8e9f4f3dced934ab.exe
1668	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe
Token: SeDebugPrivilege	1668	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

8370e6258d17dbbf8e9f4f3dced934ab.exeWScript.exe

description	pid	process	target process
PID 2628 wrote to memory of 2236	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	WScript.exe
PID 2628 wrote to memory of 2236	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	WScript.exe
PID 2628 wrote to memory of 2236	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	WScript.exe
PID 2628 wrote to memory of 2236	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	WScript.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe
PID 2236 wrote to memory of 1668	2236	WScript.exe	powershell.exe
PID 2236 wrote to memory of 1668	2236	WScript.exe	powershell.exe
PID 2236 wrote to memory of 1668	2236	WScript.exe	powershell.exe
PID 2236 wrote to memory of 1668	2236	WScript.exe	powershell.exe
PID 2628 wrote to memory of 1784	2628	8370e6258d17dbbf8e9f4f3dced934ab.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe
"C:\Users\Admin\AppData\Local\Temp\8370e6258d17dbbf8e9f4f3dced934ab.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Zxkynuwumetvrhuekotsoz.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\JavaUpdate\JavaUpdate.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
2⤵
- Executes dropped EXE
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Zxkynuwumetvrhuekotsoz.vbs
Filesize
149B

MD5
75fda8189e60e05655aea55fe68591c0

SHA1
de2177e12403c59f81d278497a387089ddd10d73

SHA256
cf8322af201e7b0f5d5b2b93c0df541c8785436ebdf04a32addc46b13caf81c5

SHA512
1bc581cbe6ba2f7f9a419bdb9b582ec5585d5cdfd8e245cab19c269d2bd4ecbc151cd98996b8d5f330304fda243c4a13388f1c601111dbab59fd0ad35e5ea647

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/1668-2237-0x0000000072700000-0x0000000072CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-2240-0x0000000072700000-0x0000000072CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-2239-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/1668-2238-0x0000000072700000-0x0000000072CAB000-memory.dmp

Filesize
5.7MB

Download
memory/1784-2234-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1784-2233-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-2241-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-66-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-54-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-6-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-10-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-8-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-12-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-42-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-40-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-38-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-36-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-50-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-48-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-46-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-44-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-68-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-4-0x00000000082E0000-0x000000000835A000-memory.dmp

Filesize
488KB

Download
memory/2628-64-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-62-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-60-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-58-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-56-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-5-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-52-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-34-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-32-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-30-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-28-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-26-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-24-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-22-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-167-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-20-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-18-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-16-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-3-0x00000000010D0000-0x0000000001118000-memory.dmp

Filesize
288KB

Download
memory/2628-2-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/2628-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-0-0x0000000001320000-0x000000000139A000-memory.dmp

Filesize
488KB

Download
memory/2628-14-0x00000000082E0000-0x0000000008353000-memory.dmp

Filesize
460KB

Download
memory/2628-2208-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/2628-2230-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads