revengerat

Resubmissions

25-02-2024 02:03

240225-cg45caaa33 10

25-02-2024 01:59

240225-cesnjahh97 8

25-02-2024 01:31

240225-bxq2zshg26 10

25-02-2024 00:49

240225-a6gdgaab3x 7

Sharing

Copy URL

Twitter E-mail

General

Target

http://google.com
Sample

240225-cg45caaa33

Score

10^/10

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

brasil.ddns.com.br:333

Mutex

5e241e476b334640a2f

Targets

- Target
  
  http://google.com
Score

10^/10

revengerat nyancatrevenge discovery persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

urlscan1

behavioral1