revengerat | 677e627bb513c3cffe86522797f6350e98de398681851ebc7a33afc583390448 | Triage

Submit
Reports

Overview

overview

Static

static

1

677e627bb5...8.ppam

windows7-x64

677e627bb5...8.ppam

windows10-2004-x64

Sharing

General

Target

677e627bb513c3cffe86522797f6350e98de398681851ebc7a33afc583390448.ppam
Size

7KB
Sample

240712-v43txavhng
MD5

01c730f1624626e5e1494f27ffb17605
SHA1

9028b0f9752bb5be30e24153c0d0e463f358f71c
SHA256

677e627bb513c3cffe86522797f6350e98de398681851ebc7a33afc583390448
SHA512

97a04f4189d0b9c95c4a76beaa46e9a34e031d602349d14dc489d29ce9b18dbdd2a3515a157b0f8daa1b61729335a25c0de24e604ca93a293109fab0573a6627
SSDEEP

96:ZEKr9NP11z54AOBCXrThnmbV2OulCniyORirI364g6qUJdl+b72zuGp8zKNMk/jT:xrXP/z5bXpMUIc33jxJdls2ag8lkbMXE

Score

10^/10

revengerat nyancatrevenge execution trojan

Static task

static1

Behavioral task

behavioral1

Sample

677e627bb513c3cffe86522797f6350e98de398681851ebc7a33afc583390448.ppam

Resource

win7-20240705-en

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

677e627bb513c3cffe86522797f6350e98de398681851ebc7a33afc583390448.ppam

Resource

win10v2004-20240709-en

revengerat nyancatrevenge execution trojan

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

win32.ddns.com.br:5222

Mutex

f32bcc90deea4

Targets

- Target
  
  677e627bb513c3cffe86522797f6350e98de398681851ebc7a33afc583390448.ppam
- Size
  
  7KB
- MD5
  
  01c730f1624626e5e1494f27ffb17605
- SHA1
  
  9028b0f9752bb5be30e24153c0d0e463f358f71c
- SHA256
  
  677e627bb513c3cffe86522797f6350e98de398681851ebc7a33afc583390448
- SHA512
  
  97a04f4189d0b9c95c4a76beaa46e9a34e031d602349d14dc489d29ce9b18dbdd2a3515a157b0f8daa1b61729335a25c0de24e604ca93a293109fab0573a6627
- SSDEEP
  
  96:ZEKr9NP11z54AOBCXrThnmbV2OulCniyORirI364g6qUJdl+b72zuGp8zKNMk/jT:xrXP/z5bXpMUIc33jxJdls2ag8lkbMXE
Score

10^/10

execution revengerat nyancatrevenge trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

revengeratnyancatrevengeexecutiontrojan

© 2018-2024

Terms | Privacy