Overview

overview

10

Static

static

1

COMBO EDITOR PRO.zip

windows7-x64

10

COMBO EDITOR PRO.zip

windows10-2004-x64

1

Analysis

  • max time kernel
    316s
  • max time network
    326s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    COMBO EDITOR PRO.zip

  • Size

    1.7MB

  • MD5

    b539b73076fdf7f3cb1a66a67b20c8d3

  • SHA1

    946dea11d5cfb3bd5e518ffcf468fa8cd7c16192

  • SHA256

    42d160d7a91ab48d7ff8062aaaf678063a2866663943aa55c1e8b6a86518c771

  • SHA512

    db067d20e97bfc1d7fe6ad656f11b5427b359b388716556df0520ee6eab878fd199711983d46352a93fe721322be357b1acc58d2d24d9b018ba5c5752c1a4f3c

  • SSDEEP

    49152:RF5gpYicHnjfFsX13dbdEjWTC72KYDcgUmNp6:RF5gqiMnjENBrTwcc18Q

Score
10/10
revengeratnyancatrevengediscoverypersistencetrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

amazon.capeturk.com:100

Mutex

eea5a83186824927836

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\COMBO EDITOR PRO.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2908
  • C:\Users\Admin\Desktop\COMBO EDITOR PRO\COMBO EDITOR PRO.exe
    "C:\Users\Admin\Desktop\COMBO EDITOR PRO\COMBO EDITOR PRO.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2176
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
          4⤵
          • Executes dropped EXE
          PID:2016
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
        3⤵
        • Executes dropped EXE
        PID:2360
    • C:\Users\Admin\Desktop\COMBO EDITOR PRO\COMBO EDITOR PRO .exe
      "C:\Users\Admin\Desktop\COMBO EDITOR PRO\COMBO EDITOR PRO .exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    Filesize

    356KB

    MD5

    fa0b327abd82686bb9d676a30fa89b46

    SHA1

    a5521f5e8e500f67b183542ffad65b83ebcb186f

    SHA256

    d01728070486e1abbf024db0eeeacf232e02fe326c4c0b762af73f728fc9392d

    SHA512

    ead84a6cbe44be5cb213154cf11f8cbe7cc992563549201500f11cf770e3b57b02da027fc982b436f8eebbfa60088f4dad8e10de1086dbb5781b2b3da004790d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
    Filesize

    63KB

    MD5

    d298454882caac154fc9217fc7e90499

    SHA1

    11970a2f8b9d1153fbc7fe925a846bd95e07e96f

    SHA256

    badaa2312457f3d08ca1f72287989456f9e62d6b417af6fb9b5e39ca1e8c8100

    SHA512

    e28a4d7c827b5c816503ddba4fee0bc82b16a0acb2eed9c81b20bb1b043d69b89cd3a1cf2beafb27a2471b6172f707d53e3c90568636b0c65e484e051dfde86f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    Filesize

    256KB

    MD5

    c4e4407b5fcf49586ddd5d5573ae4b95

    SHA1

    0f60aaaaac09d4f9273207114fcc78c0bfb250eb

    SHA256

    8f1e6eb0269fbe449678ce4863d494fda78bc648f27ad1c129270575efce4f7a

    SHA512

    95a89aae7f135b3355f2f0f751607742d8dfa5dfb04bf86cad0fff99d6c687a18a2f0be30d92a79d004cba49823c73f0208f40bb5e9cff3b26f72d1fe5f3d47b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip
    Filesize

    99KB

    MD5

    5f71fad242ac5e7d2aeb52225e008a06

    SHA1

    de750ca7460ce882fe52ff4e64ee23e6ffb547fc

    SHA256

    7567df4eb56966fd92876c3ccc4e73661ae8e22663bf801ab1eb0c13c715a051

    SHA512

    df008417c026d92ebcf8e667fb30028a987d641f2cab77ffc64fa44a29f0a6d47a8317213b5797f953e30a5f4e31899d7b10f544b3fe2af1df2d389d50f38188

    Download Submit

  • C:\Users\Admin\Desktop\COMBO EDITOR PRO\COMBO EDITOR PRO .exe
    Filesize

    895KB

    MD5

    3abc499e9d280e0f8c80b1caf2782ee7

    SHA1

    6313ba4865e2b07346f33350bf7c644e1b7f51b6

    SHA256

    3484aaaa11e0f622905ea5990bdc74a02c9905b234108fb91e3c92f96b7c7c7b

    SHA512

    bb941ad8027692a54510a285c8eb34231da070c795001d411901704eb28aab193eb56e5729beb0be3764ff77ec96949f1376f2ac3a157d6b9d9c9c624cb0fd57

    Download Submit

  • C:\Users\Admin\Desktop\COMBO EDITOR PRO\COMBO EDITOR PRO.exe
    Filesize

    1.2MB

    MD5

    7fcfdd8162071811d8b9509e95be0e6d

    SHA1

    3bf0e12a542a0ce3fa427d856417edbd99a7acb5

    SHA256

    de5509f2d01f80c4175bbd1ae5da740f857e0c0aaeb1a0ef8bf4355e90421d60

    SHA512

    d4a7084dc98766cfc20d6b721c90392c65ca7d5e3fa53ab067a1fd1f20360298652c3073d818d2ff06f86f64c1f34712fb8406276430a4cbc5bf035728d18013

    Download Submit

  • \Users\Admin\Desktop\COMBO EDITOR PRO\FontAwesome.Sharp.dll
    Filesize

    429KB

    MD5

    dc2cb895f53ed67bef96729252bffc53

    SHA1

    bce244437720fa1e1ff58033da1e6961708d05bd

    SHA256

    17ef17eb5b916bc6e9530a3cfa3483117eec7ea18de142de78eebd131ee5a84d

    SHA512

    206a53908206f5598f4fc7807ef6ea8413c5a5f7b2e5557f5e95a302f6cd483dfdee38db1697b1b52a3ea9a0eb7809c7cf798793a832fd727e23a88286be200f

    Download Submit

  • \Users\Admin\Desktop\COMBO EDITOR PRO\Guna.UI.dll
    Filesize

    876KB

    MD5

    6d6a1f28978d42ad2f0a8f278eaac966

    SHA1

    b09168ec88109422ca29cf4f1b6462d51930873d

    SHA256

    fb23fa4fca8f28bebe7b7e39593a211cd3c3405de5f948ec520e859b1bcaf91e

    SHA512

    76ddf88255a9355fc3c781880e23d94206acca4decf5623712411f7a733e91ca9ea37944860401cf9667f10e8c33a087803a4726f91faff1f23e3e0592ddf41d

    Download Submit

  • memory/2016-52-0x00000000001E0000-0x00000000001EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2588-31-0x00000000007A0000-0x00000000007DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2588-40-0x00000000072C0000-0x0000000007332000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2588-36-0x0000000000A00000-0x0000000000A42000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2588-35-0x00000000071E0000-0x00000000072C0000-memory.dmp

    Filesize

    896KB

    Download

  • memory/2588-30-0x0000000000E80000-0x0000000000F66000-memory.dmp

    Filesize

    920KB

    Download

  • memory/2588-55-0x000000000C6D0000-0x000000000C6D2000-memory.dmp

    Filesize

    8KB

    Download