General

  • Target

    147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc

  • Size

    54KB

  • Sample

    241010-1qgx6sybrc

  • MD5

    c50aa75e55eacfd0a85643c81d6962c5

  • SHA1

    3347d3c5b03afcd46ada31639c80174de5eac1df

  • SHA256

    147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc

  • SHA512

    9e8bcac38eeab864ad914afa1ac81fcecc942dfc0bd90ab8bc3e9b720460792c8040133fc1118dc674263636f6ba28dbc69c4c7290bff13e0bf46394774d9694

  • SSDEEP

    768:XRcXUzsZ/e5aO67lghmts3yeibSOFgOK:6X/eG7lghnyDb

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

54.146.241.16:5222

Mutex

f9796de67e

Targets

    • Target

      147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc

    • Size

      54KB

    • MD5

      c50aa75e55eacfd0a85643c81d6962c5

    • SHA1

      3347d3c5b03afcd46ada31639c80174de5eac1df

    • SHA256

      147f364a78efbe21c664cc3b57b52430a15a2d1856f10e0f4067942e39c9d6dc

    • SHA512

      9e8bcac38eeab864ad914afa1ac81fcecc942dfc0bd90ab8bc3e9b720460792c8040133fc1118dc674263636f6ba28dbc69c4c7290bff13e0bf46394774d9694

    • SSDEEP

      768:XRcXUzsZ/e5aO67lghmts3yeibSOFgOK:6X/eG7lghnyDb

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks