8d8a9d8dbce44201be05da52db0c628c5ee06ae550dbf398c456316d7b58497d

General

Target

Revenge-RAT v3 - NYANxCAT.7z
Size

9.0MB
MD5

d0bdec0ca22aa6cdeae1abfb44f94ed9
SHA1

e5664aaf5b0cbaad33bbb6fb0389721cc863e51f
SHA256

8d8a9d8dbce44201be05da52db0c628c5ee06ae550dbf398c456316d7b58497d
SHA512

105fdf3867f2f56661756bc3356718b18fcf301584c126c9e68d1cdd2bc2b34b773325d0f8501fbb994001d6dc44a6e7765ff1286c0a55e9ff12b82602ba0a5a
SSDEEP

196608:CVxJlefNigwBUIiGrlLVM5c0h1Jfyc1LcORe:KJlefQl+IiGZVM5cK1J6uY1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Revenge-RAT v0.3.exe

pid process

1796 Revenge-RAT v0.3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1796	Revenge-RAT v0.3.exe

Modifies registry class 37 IoCs

Processes:

Revenge-RAT v0.3.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Revenge-RAT v0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "3"	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 6c003100000000004c5996321000524556454e477e312e330000520009000400efbe4c598b324c5996322e000000f9aa01000000080000000000000000000000000000000b85170052006500760065006e00670065002d005200410054002000760030002e00330000001a000000	Revenge-RAT v0.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Revenge-RAT v0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Revenge-RAT v0.3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Revenge-RAT v0.3.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Revenge-RAT v0.3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Revenge-RAT v0.3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Revenge-RAT v0.3.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exeRevenge-RAT v0.3.exe

pid process

3824 7zFM.exe
1796 Revenge-RAT v0.3.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 3824 7zFM.exe
Token: 35 3824 7zFM.exe
Token: SeSecurityPrivilege 3824 7zFM.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7zFM.exeRevenge-RAT v0.3.exe

pid process

3824 7zFM.exe
3824 7zFM.exe
1796 Revenge-RAT v0.3.exe
1796 Revenge-RAT v0.3.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Revenge-RAT v0.3.exe

pid process

1796 Revenge-RAT v0.3.exe
1796 Revenge-RAT v0.3.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Revenge-RAT v0.3.exe

pid process

1796 Revenge-RAT v0.3.exe

pid	process
3824	7zFM.exe
1796	Revenge-RAT v0.3.exe

description	pid	process
Token: SeRestorePrivilege	3824	7zFM.exe
Token: 35	3824	7zFM.exe
Token: SeSecurityPrivilege	3824	7zFM.exe

pid	process
3824	7zFM.exe
3824	7zFM.exe
1796	Revenge-RAT v0.3.exe
1796	Revenge-RAT v0.3.exe

pid	process
1796	Revenge-RAT v0.3.exe
1796	Revenge-RAT v0.3.exe

pid	process
1796	Revenge-RAT v0.3.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2032

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE0FE15BA7\Revenge-RAT v0.3\Icons\Onedrive.ico

Filesize
361KB

MD5
257440f1449c4505669d278bf431405c

SHA1
5235870185889ffa48234f1f4af14647634c19ef

SHA256
a3c9e33dafb4c829a57a81ba8a6d94c2da9b343b6f9d6c933a4b5b88bbd96495

SHA512
d99bf41a9017dcef261fc9886887fdeb3d3b6db806d92d8f76c783764caa7f94738b7258750a5fb26cb6069f471d1acfb55dc79db5855a5619e9d864e74761a7

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Config.XML

Filesize
826B

MD5
4920b64e47ad467a5210ffebd862b907

SHA1
56cd7e8c92921dc26b042853d4e1efa5e5913e5f

SHA256
baff51c6c633f762d68bea4822263572fc3a4569b94dd78716efbb5337e7c6d1

SHA512
b33fe6e335d2c62db6f3d0f98f16e76186676c3802d4d6867348055ca2fd0a517d6c0b75ac02de5a995af4d919ece39db3ff4150a8bd3b718163752c15a9bd14

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Config.XML

Filesize
826B

MD5
5650c1b32940bf34369662a34ccf3b34

SHA1
6e9b0668a6d92ad64315360ec81ae023b3f6adf3

SHA256
bc59f5241d8db465ad9d3df2e3c4751d38f48997242c79301b95e7404b10ff58

SHA512
26cd2a971ffb4103d089fb2977cc4a7dddba45ab2cf41f677e5c205965a03816a37d215092289788aa971a34c89a69143ef244f9a9b002ef584a577d179e440b

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\GeoIP.dat

Filesize
1021KB

MD5
953c073031a08211d72daeec0551a20d

SHA1
de7441086bf49d7e590172ee07ca9ccc3d690298

SHA256
6615e1e1d8e9ee5ae891dcc43fdd050787f28227369eed50ab3403b171a187f2

SHA512
076de07d270878c4846c0d091a76cec925d57399bdf937791232a5363bee7bdc9f14418530593f1a509fe0df3db0454793635b70feb913413829e1bf2c85b8a3

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe

Filesize
13.7MB

MD5
3a401ee7f0ebb09564f82891521b5e27

SHA1
47b8d2a42e4054b5dcac9f71454c9c3c285998d7

SHA256
e2a3f5a0149222888c9e48ff828f35b3b4ace7d6b21e4d55a1bb7a7b3f76fd7f

SHA512
b13556841b9db9f009d65b981abbb6690a6bfc6a7289c10c981d2303d66624ca8d80c2f545045409890cddc539794540db66dd520531bf17a4660c001efbee13

Download Submit
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Themes\Default.XML

Filesize
288B

MD5
8236b11ddfa2da4eefdaea1fb5c5f055

SHA1
5c80687119c1b666af761b4504478581c156b535

SHA256
13f89672439f33200d4356090fc568b7fe708b27a40b419ce3f63e7c83efa775

SHA512
63cabfb5f2b369730b2380c6ad1004b0ac1a168a949804b9893cedd9cd12ebd5811595d7bd1a013f2b54362ffacef5fff1252f655a49d39c6475e984ad7e74c9

Download Submit
memory/1796-214-0x000001F8DC720000-0x000001F8DD4D8000-memory.dmp

Filesize
13.7MB

Download

Resubmissions

Analysis

Sharing