revengerat | a9b2aecd74b8e1c87a278dda34e1b93f0535fc64006c5c9511472422301ca389

Analysis

max time kernel
130s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03-01-2025 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Browser Antidetect x15.2.zip
Size

79.7MB
MD5

9c5be400580e4145c8fa6e35e42595cf
SHA1

2ee27b2fda6aa55d40af3c4d800bea0ed78d8833
SHA256

a9b2aecd74b8e1c87a278dda34e1b93f0535fc64006c5c9511472422301ca389
SHA512

761f245510c5abee19535e4c9caa1071606c2027018a3660b9434b2a4f798447e71e8d00f2b545b6d76ff890bb1b02b58bedef9db397fd4ca9f949246ce271b9
SSDEEP

1572864:N4Yev8eXAYwD+YWopdm2cz3dtjJ9cUoWzLNvRQ5ENNfTv3YRiofpIcOtREi:NUE9HCYWUUz3Jm8LdRt0RnfpIDtRf

Score

10^/10

revengerat nyan-cat persistence stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

NYAN-CAT

blog.capeturk.com:1111

Mutex

RV_MUTEX-FZMONFueOciq

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/3440-781-0x000000001B980000-0x000000001B98C000-memory.dmp	revengerat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Browser AntiDetect.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
1904	Browser AntiDetect.exe
380	Setup.exe
2324	Setup.exe
1656	Browser AntiDetect .exe
2792	svchost.exe
3440	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Intel Security Corporation = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe"	explorer.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
844	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	844	7zFM.exe
Token: 35	844	7zFM.exe
Token: SeSecurityPrivilege	844	7zFM.exe
Token: SeDebugPrivilege	2792	svchost.exe
Token: SeDebugPrivilege	3440	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
844	7zFM.exe
844	7zFM.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 380	1904	Browser AntiDetect.exe	96
PID 1904 wrote to memory of 380	1904	Browser AntiDetect.exe	96
PID 1904 wrote to memory of 2324	1904	Browser AntiDetect.exe	97
PID 1904 wrote to memory of 2324	1904	Browser AntiDetect.exe	97
PID 1904 wrote to memory of 1656	1904	Browser AntiDetect.exe	98
PID 1904 wrote to memory of 1656	1904	Browser AntiDetect.exe	98
PID 380 wrote to memory of 2792	380	Setup.exe	99
PID 380 wrote to memory of 2792	380	Setup.exe	99
PID 2792 wrote to memory of 3440	2792	svchost.exe	100
PID 2792 wrote to memory of 3440	2792	svchost.exe	100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Browser Antidetect x15.2.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1148

C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\Browser AntiDetect.exe
"C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\Browser AntiDetect.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:3440
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\Browser AntiDetect .exe
  "C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\Browser AntiDetect .exe"
  2⤵
  - Executes dropped EXE
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
70f08e6585ed9994d97a4c71472fccd8

SHA1
3f44494d4747c87fb8b94bb153c3a3d717f9fd63

SHA256
87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

SHA512
d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC438D538\Browser Antidetect x15.2\BROWSER\Data\profile\bookmarkbackups\bookmarks-2014-04-02_9.json

Filesize
4KB

MD5
de221524cea6d4679e2f9dd1eb44f4e0

SHA1
e957651f62dcea03b422db5042c86ad7e3f0a331

SHA256
7a2f765c182ca00114cbc3a45eab481f9c5e2b152956835c3fe7b9d235a8722b

SHA512
6b9bc75d51324e6d08eb8b5201e2f6ca97754d8e645aff3c63c088169914c2b336f0c35850de56ae959ee9c3faf132d75190b3c90c66d21b9fb64f6e933854d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC438D538\Browser Antidetect x15.2\BROWSER\Data\profile\safebrowsing\goog-phish-shavar.cache

Filesize
12B

MD5
3c036cce7494b7bb10bb4bffa5cdf4a3

SHA1
1430781c894c1a5a9b0fec934fd93d04e79037a5

SHA256
651d8bbac979cc01f271b2937cb22be1cac8b5fab37df4f7740197889a99554c

SHA512
98186c2d1f15cc6f9a6756afad59cb724a8da4c0af55e44f4be04aa4f51015f6d35bbd96de08352c4b06be6810b4563ceb9f653b7faea0e6a80cdef66f711393

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zEC438D538\Browser Antidetect x15.2\BROWSER\Data\profile\safebrowsing\test-phish-simple.pset

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
420KB

MD5
ada0cbc54989b2cd2959601c7a5b8499

SHA1
9c8739d476016fe0a87b176bb95f3a5bcbeff0de

SHA256
a19b89ddc700357e618934775fd1a412401b308a9ef6ae686d3f363622065c96

SHA512
f9de42724ff8bc65841db07a0901b706cf5f44d6c1e09e34ea753f88ed9746a22898993e0afe2947f8b4aa28515b428bd320bedca471b04db171776e81c4558e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
73KB

MD5
8e3d99e6a1064f89744ccb24dc6802bb

SHA1
1b6c31ab4236538c8423c19575c1e19a031b3876

SHA256
d21a23ffbdfe1bf8232a132b559c99b37f5825d816f83370684e67988b3162a8

SHA512
f5f49c20c5d9a5a80e1d3a4540695fca4732755bc33c0ea61b8be582a2ab7d22305666caf4a3f09fc7c165b3ceadcc89aa4240edcf1f0daba8b0bb09ef720134

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
293KB

MD5
1303779b354738a8c93cc522ffb21f11

SHA1
ce29a26e1363ddfdc830e2934fed935f15032187

SHA256
0a8e2fcc8c6393d2e97e6129e862a877a420a54f2530b4af5eb7f8e2a7a30af5

SHA512
b5a612907d09200753d4b4770c90cde98d18eda7eacd15c8297582401b58f1a4a91c8553dea7640d03bcc6068bb2afa0b1ee46997653c839f2066f5ed050a66d

Download Submit
C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\Browser AntiDetect .exe

Filesize
2.1MB

MD5
9ead9266b5daf442d8aab9b0b9857949

SHA1
b493f4f26350adc55df63f7377558d58f21dd219

SHA256
3a8f04d7509343b17ee4894154086d36929dc8d112ccfabed20138807249bffb

SHA512
8b473c98a30e3d61d9820a85979b7ea89bd3d3bc453d6e1849bc5debc8a32857a251df55ff6ea41bb889430aea3f085b537f37c1ec521b571d92e82c4d24e54b

Download Submit
C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\Browser AntiDetect.exe

Filesize
2.6MB

MD5
9a98bb15ff0cfc6fa8bb5e360461fc16

SHA1
e37c5c6ab92a760667c505b4217287bad191fae7

SHA256
cca23e9dcc7739df839a83f2dea58ae22e26faef069eaf1e193931e373c4605f

SHA512
166cc6b9953b86a7833d6301df69445d4b396e290e48aa63a9d6c07727324635017fdb30f4bf89f8db859438f0e9bafee4f458c9985f73983f8d9d08b874d558

Download Submit
C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\FastColoredTextBox.dll

Filesize
298KB

MD5
7df3968be9edd332c17be0a20cc384e9

SHA1
9162b9553bbda24921c1eba6a0e336ddd1084e3d

SHA256
feca194f7d39d45dd043e4995050f7c531ca90503634227858e78457f0d1253c

SHA512
9634203659d87a2c205258609b4caf5001c12210a83e10362486edf12ca250c2da438833856d207af72f16d6debef9500435f88b7a58708388cd5a54442b8833

Download Submit
C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\MetroFramework.Fonts.dll

Filesize
656KB

MD5
814161c05547bf9fed9bdd4f9377ebcc

SHA1
61ed606d323def924f5512d19e24609983c88c16

SHA256
30e127d67720f2f2f354d3d573547fc72654f37e28b53a9b5f4f235c22b02713

SHA512
551eb6daf52acd286b2c20143886856d74a758c7aab9ad046114f00ea2a0813028429303a2258509b337c2f04c16eb72a6fb43f697d579aff72d4058cef95a57

Download Submit
C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\MetroFramework.dll

Filesize
314KB

MD5
d6323323b2c337b98625e43ed00a4b87

SHA1
eef023f8979775b0f8b4065bdd1e1522d0630c72

SHA256
f642ac332a922bef84f1de0ee9138e53ab1410c98582c291b53862fd804ac5cf

SHA512
d9102e2da83c550ef07b2f6f758b673a0bcdd014b91ed6011fe8c88ba3508d595da7cbe0417b9e170c3c73395be24b5b06cc8633ac96db88008cd663c8326ed2

Download Submit
C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\Newtonsoft.Json.dll

Filesize
491KB

MD5
c7eff1effc52ea72756bc5813f31ce1c

SHA1
6c1bdd28ca4d3ecbc1f3f38373d406dcc6f148d1

SHA256
36ce0f0325ec05b511b728230bce63f0cb33ddae0283fed88ded8111c588c1e4

SHA512
1f346d7fcda5945427a7d42fd063df6df36c401640df3e11e7b24edbc13359e4f68652674a13503917b33b775f784f3d5e5ce70221dc30eb9a9d8e589f6e57ba

Download Submit
C:\Users\Admin\Desktop\Browser Antidetect x15.2\Release\config.json

Filesize
1KB

MD5
05794c5b428a3db1383430c4615239c6

SHA1
2c83ea72eeb4c35b89d5347879bd0e01fdb2dc3e

SHA256
60187af9af1deb4cc0dd1aec74256be3744139e5afd77a4ee52d9cfe8ca61290

SHA512
5179297497ba0699b6876e451d4fa6f6e38fcdda216984c37834939ae891b86b9f82f9725fd7d45d37fbb1296d439fb8b3197525533dd163aaee9209713a9f17

Download Submit
memory/380-714-0x000000001B740000-0x000000001B768000-memory.dmp

Filesize
160KB

Download
memory/1656-760-0x000000001C1A0000-0x000000001C24A000-memory.dmp

Filesize
680KB

Download
memory/1656-758-0x000000001B4E0000-0x000000001B502000-memory.dmp

Filesize
136KB

Download
memory/1656-790-0x000000001EE70000-0x000000001EF72000-memory.dmp

Filesize
1.0MB

Download
memory/1656-733-0x0000000000340000-0x000000000056A000-memory.dmp

Filesize
2.2MB

Download
memory/1656-763-0x000000001E180000-0x000000001E202000-memory.dmp

Filesize
520KB

Download
memory/1656-742-0x000000001B080000-0x000000001B0D4000-memory.dmp

Filesize
336KB

Download
memory/1656-757-0x000000001B0E0000-0x000000001B130000-memory.dmp

Filesize
320KB

Download
memory/1904-700-0x000000001C6E0000-0x000000001CBAE000-memory.dmp

Filesize
4.8MB

Download
memory/1904-701-0x000000001CC50000-0x000000001CCEC000-memory.dmp

Filesize
624KB

Download
memory/1904-734-0x00007FFD01840000-0x00007FFD021E1000-memory.dmp

Filesize
9.6MB

Download
memory/1904-699-0x00007FFD01840000-0x00007FFD021E1000-memory.dmp

Filesize
9.6MB

Download
memory/1904-698-0x00007FFD01840000-0x00007FFD021E1000-memory.dmp

Filesize
9.6MB

Download
memory/1904-697-0x000000001C160000-0x000000001C206000-memory.dmp

Filesize
664KB

Download
memory/1904-696-0x00007FFD01AF5000-0x00007FFD01AF6000-memory.dmp

Filesize
4KB

Download
memory/2324-732-0x000000001C3A0000-0x000000001C3EE000-memory.dmp

Filesize
312KB

Download
memory/2792-755-0x000000001BA20000-0x000000001BA28000-memory.dmp

Filesize
32KB

Download
memory/3440-780-0x0000000001280000-0x0000000001288000-memory.dmp

Filesize
32KB

Download
memory/3440-781-0x000000001B980000-0x000000001B98C000-memory.dmp

Filesize
48KB

Download
memory/3440-782-0x000000001D6A0000-0x000000001D702000-memory.dmp

Filesize
392KB

Download
memory/3440-785-0x000000001BB40000-0x000000001BB52000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads