Analysis Overview
SHA256
8d8a9d8dbce44201be05da52db0c628c5ee06ae550dbf398c456316d7b58497d
Threat Level: Shows suspicious behavior
The file Revenge-RAT v3 - NYANxCAT.7z was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
UPX packed file
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-12 06:19
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-12 06:19
Reported
2024-10-12 06:21
Platform
win10-20240611-en
Max time kernel
78s
Max time network
82s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "3" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 6c003100000000004c5996321000524556454e477e312e330000520009000400efbe4c598b324c5996322e000000f9aa01000000080000000000000000000000000000000b85170052006500760065006e00670065002d005200410054002000760030002e00330000001a000000 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.7z"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe
"C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zE0FE15BA7\Revenge-RAT v0.3\Icons\Onedrive.ico
| MD5 | 257440f1449c4505669d278bf431405c |
| SHA1 | 5235870185889ffa48234f1f4af14647634c19ef |
| SHA256 | a3c9e33dafb4c829a57a81ba8a6d94c2da9b343b6f9d6c933a4b5b88bbd96495 |
| SHA512 | d99bf41a9017dcef261fc9886887fdeb3d3b6db806d92d8f76c783764caa7f94738b7258750a5fb26cb6069f471d1acfb55dc79db5855a5619e9d864e74761a7 |
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Revenge-RAT v0.3.exe
| MD5 | 3a401ee7f0ebb09564f82891521b5e27 |
| SHA1 | 47b8d2a42e4054b5dcac9f71454c9c3c285998d7 |
| SHA256 | e2a3f5a0149222888c9e48ff828f35b3b4ace7d6b21e4d55a1bb7a7b3f76fd7f |
| SHA512 | b13556841b9db9f009d65b981abbb6690a6bfc6a7289c10c981d2303d66624ca8d80c2f545045409890cddc539794540db66dd520531bf17a4660c001efbee13 |
memory/1796-214-0x000001F8DC720000-0x000001F8DD4D8000-memory.dmp
C:\Users\Admin\Desktop\Revenge-RAT v0.3\GeoIP.dat
| MD5 | 953c073031a08211d72daeec0551a20d |
| SHA1 | de7441086bf49d7e590172ee07ca9ccc3d690298 |
| SHA256 | 6615e1e1d8e9ee5ae891dcc43fdd050787f28227369eed50ab3403b171a187f2 |
| SHA512 | 076de07d270878c4846c0d091a76cec925d57399bdf937791232a5363bee7bdc9f14418530593f1a509fe0df3db0454793635b70feb913413829e1bf2c85b8a3 |
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Themes\Default.XML
| MD5 | 8236b11ddfa2da4eefdaea1fb5c5f055 |
| SHA1 | 5c80687119c1b666af761b4504478581c156b535 |
| SHA256 | 13f89672439f33200d4356090fc568b7fe708b27a40b419ce3f63e7c83efa775 |
| SHA512 | 63cabfb5f2b369730b2380c6ad1004b0ac1a168a949804b9893cedd9cd12ebd5811595d7bd1a013f2b54362ffacef5fff1252f655a49d39c6475e984ad7e74c9 |
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Config.XML
| MD5 | 4920b64e47ad467a5210ffebd862b907 |
| SHA1 | 56cd7e8c92921dc26b042853d4e1efa5e5913e5f |
| SHA256 | baff51c6c633f762d68bea4822263572fc3a4569b94dd78716efbb5337e7c6d1 |
| SHA512 | b33fe6e335d2c62db6f3d0f98f16e76186676c3802d4d6867348055ca2fd0a517d6c0b75ac02de5a995af4d919ece39db3ff4150a8bd3b718163752c15a9bd14 |
C:\Users\Admin\Desktop\Revenge-RAT v0.3\Config.XML
| MD5 | 5650c1b32940bf34369662a34ccf3b34 |
| SHA1 | 6e9b0668a6d92ad64315360ec81ae023b3f6adf3 |
| SHA256 | bc59f5241d8db465ad9d3df2e3c4751d38f48997242c79301b95e7404b10ff58 |
| SHA512 | 26cd2a971ffb4103d089fb2977cc4a7dddba45ab2cf41f677e5c205965a03816a37d215092289788aa971a34c89a69143ef244f9a9b002ef584a577d179e440b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-12 06:19
Reported
2024-10-12 06:25
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
203s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.7z"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |