Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://roblox.com

windows11-21h2-x64

10

Resubmissions

31/01/2025, 14:27

250131-rsfnfsznhk 10

31/01/2025, 14:21

250131-rn459axqft 10

31/01/2025, 14:14

250131-rjzd7sxpgt 10

31/01/2025, 14:10

250131-rg2rjsxpcs 3

31/01/2025, 11:31

250131-nm7cfawnhr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://roblox.com

  • Sample

    250131-rn459axqft

Score
10/10
revengeratdefense_evasiondiscoverypersistencestealertrojanupx

Malware Config

Targets

    • Target

      http://roblox.com

    Score
    10/10
    revengeratdefense_evasiondiscoverypersistencestealertrojanupx

    • Modifies WinLogon for persistence

      persistence

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • Revengerat family

      revengerat

    • RevengeRat Executable

      stealer

    • Adds policy Run key to start application

      persistence

    • Downloads MZ/PE file

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Defense Evasion

Impair Defenses

1
T1562

Safe Mode Boot

1
T1562.009

Modify Registry

6
T1112

Subvert Trust Controls

2
T1553

SIP and Trust Provider Hijacking

2
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks