General

  • Target

    Plugin81139.js

  • Size

    389KB

  • Sample

    241211-ltr5zssjfn

  • MD5

    a0c2859596c5ce9790594ba975cb0eac

  • SHA1

    3fcb95f0177d3ec86496f2388fb78b0b2d28820b

  • SHA256

    65c941cb336cf645d782e99b761fb37740a615948c6c2c83a3bcba882a2c97a4

  • SHA512

    738072f15990c51584c71962043e3bea38dd3b758170815f5daddfceb8622f2eff13e9c8ec1dfcc4f9c150eb8065aa9a4ac38b80e712f037ad5c325de96cfb9e

  • SSDEEP

    1536:UfffKffafffKffafffKffafffKffafffKffafffKfffffffffffffffffffffffz:XHuCM4

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://res.cloudinary.com/dxtifaxks/raw/upload/v1733864899/novojeitoasync_zhpjwy.txt

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

102.165.46.145:333

Mutex

pHXJvbCGPPiC

Targets

    • Target

      Plugin81139.js

    • Size

      389KB

    • MD5

      a0c2859596c5ce9790594ba975cb0eac

    • SHA1

      3fcb95f0177d3ec86496f2388fb78b0b2d28820b

    • SHA256

      65c941cb336cf645d782e99b761fb37740a615948c6c2c83a3bcba882a2c97a4

    • SHA512

      738072f15990c51584c71962043e3bea38dd3b758170815f5daddfceb8622f2eff13e9c8ec1dfcc4f9c150eb8065aa9a4ac38b80e712f037ad5c325de96cfb9e

    • SSDEEP

      1536:UfffKffafffKffafffKffafffKffafffKffafffKfffffffffffffffffffffffz:XHuCM4

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Revengerat family

    • Blocklisted process makes network request

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks