Overview

overview

10

Static

static

3

LeeTextTools.exe

windows7-x64

10

LeeTextTools.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LeeTextTools.exe

  • Size

    935KB

  • MD5

    45c16f2c3c9f43bfaf3f4bbed777773a

  • SHA1

    9b4e4b6a6a79a3a668f63803d2a4d03a81589ad1

  • SHA256

    7f74247962c61d595001a2d02788e55290265ed177bc696802f6f4eca51e5796

  • SHA512

    7d7ae482968d38c98f947b87520817a6165148a3e66cf89352a96a4ed5d6d6ac6e8cfa843c819d711ef066df20195bfb93b571738519bc6751826fd7b9398538

  • SSDEEP

    24576:GkHfaEEJ40aLb49n5/hLEjaEEJ40aLb49n5/hgCFzwgy:GkHfaEEJ465/REjaEEJ465/9Zw1

Score
10/10
revengeratnyancatrevengediscoverypersistencetrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

amazon.capeturk.com:100

Mutex

eea5a83186824927836

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LeeTextTools.exe
    "C:\Users\Admin\AppData\Local\Temp\LeeTextTools.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1820
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2260
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          PID:1476
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      PID:2884
    • C:\Users\Admin\AppData\Local\Temp\Lee Text Tools .exe
      "C:\Users\Admin\AppData\Local\Temp\Lee Text Tools .exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/LeeSoftware
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:976 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    be046f1540d9ee7a1dedafb982dd6681

    SHA1

    65830480a6ec4a500d6296f0e411b9f7c16a34ca

    SHA256

    95e993768efeefbe111679cb719916b1ddb00463c300c68f2c1f1cfc51bf78a4

    SHA512

    9a7b6a3025326a0a9ba2e8ee2603d68545a1400a55f7aa27c631f44c74a23b3edf18948d833722e4bf9a53317d2c8c82c87264e296d925c2c657102c9b6df369

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    714625fc727ad6d74a71c3d8d104317d

    SHA1

    3316c68f1968b526d8fc8dad1712cfcc51e9382f

    SHA256

    e6904edb50549d4a2c1940af6917f636a72ef3d23da6510ee025f185085ed858

    SHA512

    49ead9f0bf0f1d8bd9ea0b5dc9bca9ba92911283ca4b17471a800c16d9328adb4516c364bde9b9a27e393d30932fdf6f8177087519d6285b3bc0d098cfbc07d5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    728ffc34c2e202ef601983fdfe7575b6

    SHA1

    dd2442f1dabd71562df69e561463c77ac2401336

    SHA256

    722d0c224f9293496228c23ad2e4a6c06a74d8fd12f0e7b5c03dc1de6c299c3e

    SHA512

    3706cbf171f079087a401a9ee85bfe1acd2a9b25bffe0df6ba0f028b4c40ac226651099e1ad9f98fe465d5490cf380831519cf6016f3088ce0331a68add8b58e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cc48ad99354e9a57896a3578506f0c50

    SHA1

    159fe7c8aa665a4dc68a9922652cb7fbbf707c0e

    SHA256

    ecb2cfac1af956b5bf887be3af1e4f5e3eaaeb826b4f4f679aea751ac2338515

    SHA512

    39fbf60c4d09c0e4737e4ce183652367110d06800224a1dc0f109e84aa1cf441d6fb3844a4dbbd68d629e2e85c1946040518a2ac501079fb2f1259c85fcb6ebb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    24c8ed1c6b0f88af44d8bae37a683870

    SHA1

    5471c90a1b7f8e656941e6da4c1751de3f7486e4

    SHA256

    19e5239843d2560ad634559173857af5adfa28c99a2a4f2c7d617a93cc4880db

    SHA512

    c945d727f88c5fbabe474d925ba7076f5897ef5307f5a655309a58167a0c2a95c32f608ae05deabb4010dcf379fe77c9995521f5fd539b5ea71f0905f4ff9d05

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7363aa30d674f74927c9c51aa4565fe5

    SHA1

    beb43de1b8db9db00a6d1c357d7e7e809688e40e

    SHA256

    73f3231090151e3ae90857a4f599e2884cfb5d80a75773b02a78ddb98f4d84ce

    SHA512

    81fd46c27ecb15ca3acb020265a54acbbc3d54aa1b37039b1a2c0fe76b6304ba5566a9b7714419a9271311cc2a211adf3a7fc33c58f8a1a54aeacd89f9928b74

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4c88ae0e4aaa0ff601f1e9ffc86c6f4f

    SHA1

    00aa5b2085a4bac5354c9777725846f9aacda076

    SHA256

    2ac96dbfd3ac5707980ba54448bc5046a38fe97bd294b88ab35f33c18f6f842a

    SHA512

    75b544aa91e5dc3e025af19cb57030f2ccdb73ad2c33a88b623e259985b3b8fd3feed626070c036928580f5a1509f980c19d22adceb1541862176f000a7dc113

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7d9147e66cc6f53115f825abe2fee867

    SHA1

    e64af809aa9a93830a965530ae87be29b945f31c

    SHA256

    e5307729d988d7fe1b8b22ff7f3b16abcc3785fdd2ac87b55c234734dba1d11e

    SHA512

    a4cab6f21d0e315f559220d7727be5b971fe83cc5c3b27a83e7580df9c15abacac7db040456a85de6bf2fcf93187b278d0dc47b3f37be8d28b83ac0f7baee938

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    07438ae5dad2864a26983d8dbfce04a2

    SHA1

    a21c732119f5e600f240f57310547f664147104f

    SHA256

    ccff5a3f1cf7d80d2b2cbdfac16e3a150e41972b3d208828ea9df9d566dc9b38

    SHA512

    03c10d5b7f27f0ee3f697b44939aeef5f1daf2530f141ebddadc025dd68502efe9eb5667714f947fd541bcfe3d1dca40a6a9f8999652b380bf81253a44f55771

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f2ade928bdd0eaa91a2bcd54b16ba924

    SHA1

    b3409be16ab4064542d90e35ec28a8dcf139034a

    SHA256

    95c0a591e262ddc82d7d8f4eeb85c2eaf98f5b2c16024b79d7b1723a25d0bf44

    SHA512

    feea2a22a5ed2fbdae28170bcea3c7a6b5058cd989f8ae61700aeb1e1a3856e2cfbd4f858d85ed091fa5e9185613360b01935ad9e82aeb50452915173df360bf

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5b9b6a08c1c25b074e954fc4441151d1

    SHA1

    8601d91715ef56ab25834e9578cfa52330c2c878

    SHA256

    e235407dac96e0a4d72f8fa12e1311705410e6974759719017aa4133649f6787

    SHA512

    8619bdb6b4c536f9e109336c39cf61c8f5557c1598534bbcda693df4c92b9e02c6773ccb045753198d69db2ab637e704665a7486612467e49222eab89205f306

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    aa7240d9966b6a236611278c567e86a5

    SHA1

    ad2c346f634840479f8bd1b5d73f724159dbceda

    SHA256

    debfe73a98c3fdb3dd69d49d378c5e2cabc5246a91737f07f0779ea0ca49d709

    SHA512

    66ad6a6d9cbfc39ffdc783d04ad12df331f381ad00fadb2ac84104f88e1ce01c660eaa8d5bff8e7d9bf2c3c6ad7e46e95a6852d45d6651e01bde85d1add20cc9

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5caa06ace942150901897e5f88f24691

    SHA1

    ce9be774c39460c067135b24f971ff21a97abf7d

    SHA256

    e930373be618f33e78132b02fc84bd3448f9e3a574fcef34ae5eba403fd7dcac

    SHA512

    f228681b5a1a802430c5549f0b322074f51c1f3076203d8962213d235a1871db96e17828ce48720251c016e1b35e2443f8e87b3a89334a6591b68541059af3a0

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    706f45ec7d2f093e3c41122146656b90

    SHA1

    c39e68ce9b684b552ec3f8a148d7cedaa411a327

    SHA256

    1a141fcf197cdb0958eab6b420b0de81a1f05833c3631227df093eee7c21eac9

    SHA512

    08e0a9efe1cc94e6b7226429f0865f5d3877fe01df1e9bc99e0a8c7929effafe86d86214bfbfc402a5ef6ab84c85e70b2ad367cb8d5b801e81ae5c0ff587028a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9eb02edd18a010e9bedf14f5b52edb4b

    SHA1

    344db7ed49b30d4385a6385a28aabc386ea407fe

    SHA256

    64003ee8c0ddd394de17f8a4ff33ebed7eb4f14f74f0adb1d68cb2640e2f1629

    SHA512

    5331979fc995baf26141d475a04c202917b5adca2755b76aeb7421e2205287746221d5a253681108443022dd301a08367d5ffb5a59dd93059e0a1006113efc3f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2bc7af8d5999e9cb8a860458c0c5c8af

    SHA1

    ac6b46282978dd2a6f7a0f1fe9994e1fac5d5365

    SHA256

    b5232c4023f2fe9b7627597009ae7eb165e1f9f50b10789a9ede0918c0b41d21

    SHA512

    7175600a455cdb3332bb699a9765c9ca64a38e73176aec260f1c2c50b1d0e30948e816451d93a5d65062ea9c54f390f3979d0ea5ac2e3e028c929a841b5a767a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    12eee67900d83943c0398e26de105348

    SHA1

    b745ded3a09dc5a414544340f0dca360d238287d

    SHA256

    2347ec832f27952c9a0ce6ac685e40b46a992ef047aedfe7b99cc9d1634f8d17

    SHA512

    2f3c9bebfebcc79ca244c84f53200cd5cbaa500889d73ad3d67a57a0121a8b8d31488c14d654b2f858f74b802aa88ee6e77c5270902b603c852bfa3e4a4437ac

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    945c315e227e7ff16131e2d1adf5602f

    SHA1

    fde9e03afa1198475bcab67b3becea450fd6ce1d

    SHA256

    805a387bc16d7a239c036f00a488487cec09e354e49d4abc7621eca54d8f5341

    SHA512

    47a8a92665712648281ba9e5b0842b44dda85870405017d6a88400f04ddd2c6fe776aad76d82d2af19d0cb72a8c4f279ad55cce0526069371787ea0be4f75ce8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab15A5.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Lee Text Tools .exe
    Filesize

    563KB

    MD5

    c6a289d6258169b171835ea60ab103eb

    SHA1

    ee3d99e430369f4487c411853f6ab0b74f6b2d85

    SHA256

    e3114f5d8ee3f633248221966a4cac29c6ea2423a264812ab52c4112b214e528

    SHA512

    8e0f2059455d27f3ad29e970b999d11d338b8fdf0a8e813e89d1d2d4a9b984279c32d1ee3c922a10dd162ea06574d33f405be86cabed502f9946a5aa5004a85d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    356KB

    MD5

    fa0b327abd82686bb9d676a30fa89b46

    SHA1

    a5521f5e8e500f67b183542ffad65b83ebcb186f

    SHA256

    d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

    SHA512

    ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1674.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    63KB

    MD5

    d298454882caac154fc9217fc7e90499

    SHA1

    11970a2f8b9d1153fbc7fe925a846bd95e07e96f

    SHA256

    badaa2312457f3d08ca1f72287989456f9e62d6b417af6fb9b5e39ca1e8c8100

    SHA512

    e28a4d7c827b5c816503ddba4fee0bc82b16a0acb2eed9c81b20bb1b043d69b89cd3a1cf2beafb27a2471b6172f707d53e3c90568636b0c65e484e051dfde86f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    256KB

    MD5

    c4e4407b5fcf49586ddd5d5573ae4b95

    SHA1

    0f60aaaaac09d4f9273207114fcc78c0bfb250eb

    SHA256

    8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

    SHA512

    95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

    Download Submit

  • memory/1476-50-0x0000000000360000-0x000000000036A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1820-22-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1820-0-0x000007FEF672E000-0x000007FEF672F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1820-4-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1820-2-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2260-17-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2260-16-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2260-14-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2260-34-0x000007FEF6470000-0x000007FEF6E0D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2996-31-0x0000000000A80000-0x0000000000B12000-memory.dmp

    Filesize

    584KB

    Download