revengerat | 2cf26e5fe9f31386d57170cc51ec46d6e4b73e4760826d65ca1a7afc8c82acc2

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Revenge-RAT v3 - NYANxCAT/Builder.exe
Size

100KB
MD5

be03c752691189795254cebab618c21d
SHA1

cb5feaa0d9ff34a54cfad1297fb784d0929dd9bd
SHA256

313a9d09f096b4eb2efe37e3c0b51268f601c0c9d1ca3508f46769ec89e0594b
SHA512

29f586cf63d3038ea1ada19367a7d96a714a0a9e18d0085fc074f3df319f66f20b58d69360b08095d80ad07d9775000b3aadbeb5784fbe30f36a62ecb8df9841
SSDEEP

3072:sJDNTv7xhz06GXwnTqRGXuuoNTv7xhz0Y:sfTkprTk

Score

10^/10

revengerat nyancatrevenge discovery trojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

127.0.0.1:333

Mutex

3a6ac9783c3e

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Executes dropped EXE 3 IoCs

pid	Process
2084	Client.exe
2448	Client.exe
1628	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Builder.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1788	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	taskmgr.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe
1788	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	Builder.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2820	1884	Builder.exe	31
PID 1884 wrote to memory of 2820	1884	Builder.exe	31
PID 1884 wrote to memory of 2820	1884	Builder.exe	31
PID 2820 wrote to memory of 3036	2820	csc.exe	33
PID 2820 wrote to memory of 3036	2820	csc.exe	33
PID 2820 wrote to memory of 3036	2820	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT\Builder.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\11aewgyr\11aewgyr.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEE2.tmp" "c:\Users\Admin\Documents\CSCEEE1.tmp"
    3⤵
    PID:3036

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2232

C:\Users\Admin\Documents\Client.exe
"C:\Users\Admin\Documents\Client.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2592

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1788

C:\Users\Admin\Documents\Client.exe
"C:\Users\Admin\Documents\Client.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448

C:\Users\Admin\Documents\Client.exe
"C:\Users\Admin\Documents\Client.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESEEE2.tmp

Filesize
1KB

MD5
5583c9e1d381e8762b090eec66616d78

SHA1
eeef0a0790d9190835f43725eba4663111d1ebb4

SHA256
6bff9d18728d6a7af628678d7107bac5d3fc5c4c0733e0fb7fe0121704cddcd7

SHA512
fb94f3055e10ecde54407ee7f8e32514465ad60267a8c38dc6e42000d43ed062f6dee212e11a7d7c51b45530dc670aa03fb66826000283f29a8d2e3c74a5763a

Download Submit
C:\Users\Admin\Documents\Client.exe

Filesize
24KB

MD5
798a8394a500da3f3d524d0f8686fdb4

SHA1
5cdb6f14ccd4da5291c5618d19b6494b851068a6

SHA256
03788a00cf1ce2f697f3d037ab667038a35c023c3f417738eeb499e932f52f76

SHA512
6dc102b59abd9578df1682080d0ce87aaaeeddf2a5020e41d4fb8d52913c31257344225bbfd82ad6ac688955d0673f351a51c713a21446bf480e6ab2ab8d2ce2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\11aewgyr\11aewgyr.0.cs

Filesize
21KB

MD5
2dcb363b969b7901b58efcc5856b2b4f

SHA1
4828eefea04a7682355c4453eab3a1273a3f4cf2

SHA256
76cbb8aa269c57bc565561e7b6c486fcf10f2e7c849f20b7b6fe102a0352e68b

SHA512
4d0368d4e6663788b9062e2abd2edb3e2be479229d9220b373cac54178c75f6ad8945d14b6f1757da5863679a1ebbf2f27fea778076527d39a84e7a9364f7f75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\11aewgyr\11aewgyr.cmdline

Filesize
287B

MD5
893d2d007f21a5c872fd6ced6c8c541e

SHA1
360f7a1ca1a8f66435aa1070bce8bcd8c4853d88

SHA256
04f99a767049f1d38a14fa3cd4ad4b4e800fee764fc539b7d59580de389cf7bf

SHA512
e6f21bb25fb44b1ccb912f0cdea4eb4c3739d2c7c7f33ae554946255d65dafee808b1ab586c24a1f62931b7ebe63205216d28be001669a7316eed6337ce1ee6d

Download Submit
\??\c:\Users\Admin\Documents\CSCEEE1.tmp

Filesize
644B

MD5
23c5f6c5bb4e5de59ec5aa884ea098d3

SHA1
7240ba716de1d9ddaa3f9e3a0adcd7e00c4e6a83

SHA256
7e090465b6d810c988f61a89f11debded56b4bff54c07369c26ab8afd9e8ba27

SHA512
bef35b5af9bb58041f3783a43e85f204a088f44e19168815eea881c2864f9c9038f0e8ba2ab136b6514028e6c22652496cee61fe6dab467b56f0a31809ca1f51

Download Submit
memory/1788-25-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1788-24-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1788-23-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1788-22-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1884-6-0x000000001E770000-0x000000001E780000-memory.dmp

Filesize
64KB

Download
memory/1884-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-19-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-1-0x0000000001270000-0x000000000128E000-memory.dmp

Filesize
120KB

Download
memory/1884-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/1884-3-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-5-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/1884-4-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download