Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://download.ove...

windows10-2004-x64

Resubmissions

19-10-2024 00:35

241019-axkpjaycmr 7

19-10-2024 00:24

241019-aqhatsxhmq 10

19-10-2024 00:06

241019-ad1lmsxdmj 10

18-10-2024 23:48

241018-3thpzswhpp 10

18-10-2024 23:42

241018-3p8qlsvbkh 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://download.overwolf.com/install/Download?PartnerId=3762&utm_source=google&utm_medium=cpc&utm_campaign=21268940350&gclid=CjwKCAjwjsi4BhB5EiwAFAL0YL6pQ47jirruo-pmFEOkklOaNWWPQJGq6IhGBZ4Uv7pbnpQ20WgZQBoCZRMQAvD_BwE&utm_content=Buff_AW_CjwKCAjwjsi4BhB5EiwAFAL0YL6pQ47jirruo-pmFEOkklOaNWWPQJGq6IhGBZ4Uv7pbnpQ20WgZQBoCZRMQAvD_BwE&utm_term=

  • Sample

    241019-aqhatsxhmq

Score
10/10
metasploitnjratrevengeratseonguestbackdoorbootkitdiscoveryevasionpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/xVYwHU1r http://goldeny4vs3nyoht.onion/xVYwHU1r 3. Enter your personal decryption code there: xVYwHU1rpkV4FW7fynM8V9KJbLUWf41EPa3WhHd4JQaPJqLMm2We6Dek5v6A3BYpY8eNVQfuqdASwPWR25u6vKePPsWA49gq
URLs

http://golden5a4eqranh7.onion/xVYwHU1r

http://goldeny4vs3nyoht.onion/xVYwHU1r

Targets

    • Target

      https://download.overwolf.com/install/Download?PartnerId=3762&utm_source=google&utm_medium=cpc&utm_campaign=21268940350&gclid=CjwKCAjwjsi4BhB5EiwAFAL0YL6pQ47jirruo-pmFEOkklOaNWWPQJGq6IhGBZ4Uv7pbnpQ20WgZQBoCZRMQAvD_BwE&utm_content=Buff_AW_CjwKCAjwjsi4BhB5EiwAFAL0YL6pQ47jirruo-pmFEOkklOaNWWPQJGq6IhGBZ4Uv7pbnpQ20WgZQBoCZRMQAvD_BwE&utm_term=

    Score
    10/10
    metasploitnjratrevengeratseonguestbackdoorbootkitdiscoveryevasionpersistenceprivilege_escalationransomwarespywarestealertrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Seon

      The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.

      trojanransomwareseon

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Renames multiple (287) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • RevengeRat Executable

      stealer

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Tasks