revengerat | 861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc | Triage

Sharing

General

Target

Flytour.doc
Size

109KB
Sample

240801-h41ckasgnf
MD5

639df28efc7717655b1d8cc618a76b1c
SHA1

9e79c9d82ad07f95b09e73bbba792a889911f51e
SHA256

861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc
SHA512

62fdd2c3b2da4481c4cb380e01a37c67f7005e5024cef3b960883b227b659e056680152d2d72002a1496e293e7f97a47d3a67f8ab890b63209a00f19862a3d6c
SSDEEP

1536:vkc1B8Tf5nq7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuB/xDC:vV2ClwH9r0l77AnsSmy/B/xDC

Score

10^/10

revengerat nyancatrevenge defense_evasion discovery execution macro persistence trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

marcelotatuape.ddns.net:333

Mutex

3e042ee793c84

Targets

- Target
  
  Flytour.doc
- Size
  
  109KB
- MD5
  
  639df28efc7717655b1d8cc618a76b1c
- SHA1
  
  9e79c9d82ad07f95b09e73bbba792a889911f51e
- SHA256
  
  861375605b6f4b622556d5b04f6329440a26b38dfa066b114c55d258ac4895bc
- SHA512
  
  62fdd2c3b2da4481c4cb380e01a37c67f7005e5024cef3b960883b227b659e056680152d2d72002a1496e293e7f97a47d3a67f8ab890b63209a00f19862a3d6c
- SSDEEP
  
  1536:vkc1B8Tf5nq7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuB/xDC:vV2ClwH9r0l77AnsSmy/B/xDC
Score

10^/10

discovery revengerat nyancatrevenge defense_evasion execution persistence trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

revengeratnyancatrevengedefense_evasiondiscoveryexecutionpersistencetrojan