Malware Analysis Report

2025-01-18 04:46

Sample ID 241012-g3lx4sxgkh
Target Revenge-RAT v3 - NYANxCAT.7z
SHA256 8d8a9d8dbce44201be05da52db0c628c5ee06ae550dbf398c456316d7b58497d
Tags
upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8d8a9d8dbce44201be05da52db0c628c5ee06ae550dbf398c456316d7b58497d

Threat Level: Shows suspicious behavior

The file Revenge-RAT v3 - NYANxCAT.7z was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx

Executes dropped EXE

UPX packed file

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 06:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 06:19

Reported

2024-10-12 06:21

Platform

win10-20240611-en

Max time kernel

78s

Max time network

82s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.7z"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "3" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 6c003100000000004c5996321000524556454e477e312e330000520009000400efbe4c598b324c5996322e000000f9aa01000000080000000000000000000000000000000b85170052006500760065006e00670065002d005200410054002000760030002e00330000001a000000 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A
N/A N/A C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.7z"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe

"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zE0FE15BA7\Revenge-RAT v0.3\Icons\Onedrive.ico

MD5 257440f1449c4505669d278bf431405c
SHA1 5235870185889ffa48234f1f4af14647634c19ef
SHA256 a3c9e33dafb4c829a57a81ba8a6d94c2da9b343b6f9d6c933a4b5b88bbd96495
SHA512 d99bf41a9017dcef261fc9886887fdeb3d3b6db806d92d8f76c783764caa7f94738b7258750a5fb26cb6069f471d1acfb55dc79db5855a5619e9d864e74761a7

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe

MD5 3a401ee7f0ebb09564f82891521b5e27
SHA1 47b8d2a42e4054b5dcac9f71454c9c3c285998d7
SHA256 e2a3f5a0149222888c9e48ff828f35b3b4ace7d6b21e4d55a1bb7a7b3f76fd7f
SHA512 b13556841b9db9f009d65b981abbb6690a6bfc6a7289c10c981d2303d66624ca8d80c2f545045409890cddc539794540db66dd520531bf17a4660c001efbee13

memory/1796-214-0x000001F8DC720000-0x000001F8DD4D8000-memory.dmp

C:\Users\Admin\Desktop\Revenge-RAT v0.3\GeoIP.dat

MD5 953c073031a08211d72daeec0551a20d
SHA1 de7441086bf49d7e590172ee07ca9ccc3d690298
SHA256 6615e1e1d8e9ee5ae891dcc43fdd050787f28227369eed50ab3403b171a187f2
SHA512 076de07d270878c4846c0d091a76cec925d57399bdf937791232a5363bee7bdc9f14418530593f1a509fe0df3db0454793635b70feb913413829e1bf2c85b8a3

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Themes\Default.XML

MD5 8236b11ddfa2da4eefdaea1fb5c5f055
SHA1 5c80687119c1b666af761b4504478581c156b535
SHA256 13f89672439f33200d4356090fc568b7fe708b27a40b419ce3f63e7c83efa775
SHA512 63cabfb5f2b369730b2380c6ad1004b0ac1a168a949804b9893cedd9cd12ebd5811595d7bd1a013f2b54362ffacef5fff1252f655a49d39c6475e984ad7e74c9

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Config.XML

MD5 4920b64e47ad467a5210ffebd862b907
SHA1 56cd7e8c92921dc26b042853d4e1efa5e5913e5f
SHA256 baff51c6c633f762d68bea4822263572fc3a4569b94dd78716efbb5337e7c6d1
SHA512 b33fe6e335d2c62db6f3d0f98f16e76186676c3802d4d6867348055ca2fd0a517d6c0b75ac02de5a995af4d919ece39db3ff4150a8bd3b718163752c15a9bd14

C:\Users\Admin\Desktop\Revenge-RAT v0.3\Config.XML

MD5 5650c1b32940bf34369662a34ccf3b34
SHA1 6e9b0668a6d92ad64315360ec81ae023b3f6adf3
SHA256 bc59f5241d8db465ad9d3df2e3c4751d38f48997242c79301b95e7404b10ff58
SHA512 26cd2a971ffb4103d089fb2977cc4a7dddba45ab2cf41f677e5c205965a03816a37d215092289788aa971a34c89a69143ef244f9a9b002ef584a577d179e440b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 06:19

Reported

2024-10-12 06:25

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

203s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.7z"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.7z"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A