Overview

overview

10

Static

static

1

f30b759f79...45.ps1

windows7-x64

10

f30b759f79...45.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2024, 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f30b759f79a6be1fd1dcb3536d412eb81e187700153522776f70a9c4e8ff3b45.ps1

  • Size

    801KB

  • MD5

    f4935e63eaedf1f0392d19e27a9b8d0c

  • SHA1

    8c4c053689ff800fc06225f3958b0cb3aece902a

  • SHA256

    f30b759f79a6be1fd1dcb3536d412eb81e187700153522776f70a9c4e8ff3b45

  • SHA512

    7add6d57d8d70703178892a28d183ff88528d26f17c7438ec9e427cff55ed797a6b2dc909278d5cfea52321d2b9adc2b775b3673e031c2704ff5c3ba41eba0d6

  • SSDEEP

    12288:OZmTk3LmZmTk3Lv2RDsUU1Vq2RDsUU1VV2RDsUU1V2:OZmTAKZmTAr25gq25gV25g2

Score
10/10
revengeratnyancatrevengeexecutiontrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

lua.ddns.com.br:5222

Mutex

101f19215cac

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\f30b759f79a6be1fd1dcb3536d412eb81e187700153522776f70a9c4e8ff3b45.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Command and Scripting Interpreter: PowerShell
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Checks processor information in registry
      PID:32

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srggifra.egu.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/32-27-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/32-38-0x00000000747F0000-0x0000000074FA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/32-37-0x00000000747FE000-0x00000000747FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/32-36-0x0000000005C00000-0x0000000005C66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/32-35-0x0000000006250000-0x00000000062EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/32-34-0x00000000747F0000-0x0000000074FA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/32-33-0x0000000005CA0000-0x0000000006244000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/32-32-0x00000000747FE000-0x00000000747FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2148-14-0x0000025766040000-0x0000025766060000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2148-31-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2148-20-0x0000025766040000-0x0000025766058000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2148-18-0x0000025766040000-0x0000025766058000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2148-16-0x0000025766040000-0x0000025766058000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2148-24-0x0000025766040000-0x0000025766058000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2148-30-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2148-22-0x0000025766040000-0x0000025766058000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2148-26-0x0000025766040000-0x0000025766058000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2148-15-0x0000025766040000-0x0000025766058000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2148-0-0x00007FFA56CE3000-0x00007FFA56CE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2148-13-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2148-12-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2148-11-0x00007FFA56CE0000-0x00007FFA577A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2148-1-0x000002574DA20000-0x000002574DA42000-memory.dmp

    Filesize

    136KB

    Download