revengerat | c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e | Triage

Submit
Reports

Overview

overview

Static

static

1

Reserva Detalhes.ppam

windows7-x64

Reserva Detalhes.ppam

windows10-2004-x64

Sharing

General

Target

Reserva Detalhes.ppam
Size

12KB
Sample

240325-twdpdafe6x
MD5

a1d2e92429553425cf7505c8563b84ed
SHA1

d5550fa4da1db73fb15f3fcdd8935504350c392b
SHA256

c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e
SHA512

9db3cce89055888cf4f7ef8db57dc171fa48f16a5d6724a540f16b365514672e6ec283b25cf6a3e7985c5dd57d5c7538263da690596eaa71dcac7cfeaf677f98
SSDEEP

192:xrXP/Rz9m/qgC0XvXUyhRT2QiDjhmdihVGBZGinvSo0Ctbc7PHET:dXPWqgvXmQiDVm8GBklWbc7PG

Score

10^/10

revengerat nyancatrevenge persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

Reserva Detalhes.ppam

Resource

win7-20240215-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

Reserva Detalhes.ppam

Resource

win10v2004-20240226-en

revengerat nyancatrevenge persistence trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://pt.textbin.net/download/zbbh8tfbo9

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

marcelotatuape.ddns.net:333

Mutex

0f84d46907494

Targets

- Target
  
  Reserva Detalhes.ppam
- Size
  
  12KB
- MD5
  
  a1d2e92429553425cf7505c8563b84ed
- SHA1
  
  d5550fa4da1db73fb15f3fcdd8935504350c392b
- SHA256
  
  c495ec8d688d14f6e90a75d6570ffbb3f34cd716e05f661a5c57acaf7cccc10e
- SHA512
  
  9db3cce89055888cf4f7ef8db57dc171fa48f16a5d6724a540f16b365514672e6ec283b25cf6a3e7985c5dd57d5c7538263da690596eaa71dcac7cfeaf677f98
- SSDEEP
  
  192:xrXP/Rz9m/qgC0XvXUyhRT2QiDjhmdihVGBZGinvSo0Ctbc7PHET:dXPWqgvXmQiDVm8GBklWbc7PG
Score

10^/10

revengerat nyancatrevenge persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

revengeratnyancatrevengepersistencetrojan

© 2018-2024

Terms | Privacy