analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Revenge-RAT v3 - NYANxCAT.zip

Full analysis: https://app.any.run/tasks/3e364dd6-cec3-4276-b076-f44b61b62989
Verdict: Malicious activity
Analysis date: November 30, 2020, 00:01:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E53EBB31D498A1B75E7E12F4670B84F4

SHA1:

F1A2C57396674662540C7A6D825322D99251101E

SHA256:

DBC0A745C62C9AEF393F732F718149FC5ABAFFE30DDB1D55D978A8BF17E9AE01

SSDEEP:

393216:853OkzJUuTFL5k62f6Q8NSXwDomaVXMhDxUy0o:8dd7Lqn6ogDo78fn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Builder.exe (PID: 2224)
      • Builder.exe (PID: 1672)
      • Revenge-RAT v0.3.exe (PID: 2108)
    • Starts Visual C# compiler

      • Builder.exe (PID: 1672)
    • Drops executable file immediately after starts

      • csc.exe (PID: 1676)
  • SUSPICIOUS

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 2884)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2884)
      • csc.exe (PID: 1676)
    • Reads internet explorer settings

      • Revenge-RAT v0.3.exe (PID: 2108)
    • Drops a file with too old compile date

      • WinRAR.exe (PID: 2884)
    • Drops a file with a compile date too recent

      • csc.exe (PID: 1676)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Revenge-RAT v3 - NYANxCAT/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:03:02 14:31:10
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe revenge-rat v0.3.exe no specs builder.exe no specs builder.exe no specs csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Revenge-RAT v3 - NYANxCAT.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2108"C:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Revenge-RAT v0.3.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Revenge-RAT v0.3.exeWinRAR.exe
User:
admin
Company:
Revenge-RAT v0.3
Integrity Level:
MEDIUM
Description:
Revenge-RAT v0.3
Version:
0.0.0.3
2224"C:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Builder.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Builder.exeRevenge-RAT v0.3.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Builder
Version:
1.0.0.0
1672"C:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Builder.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Builder.exeRevenge-RAT v0.3.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Builder
Version:
1.0.0.0
1676"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\uxsaixhy.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Builder.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
776C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESB019.tmp" "c:\Users\admin\Documents\CSCB018.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Total events
1 388
Read events
1 333
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
15
Text files
75
Unknown types
2

Dropped files

PID
Process
Filename
Type
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\Aut2Exe\Icons\AutoIt_Old3.icoimage
MD5:0F0E13405457EA08934106DF42692329
SHA256:5FF7C00A84867D28DB78F861836A6BD0247D34A2F6097DE4EFA198D7ABEB1EAC
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\Aut2Exe\Icons\AutoIt_Main_v10_48x48_256.icoimage
MD5:88624B8E01AC8036B6F1971B497DBB7E
SHA256:BADC42DA4C0E29AF7F6C0C58711D9DB7B3D7D4760C18CB521F4113D8CDBC2F3D
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\Aut2Exe\Autoit.au3text
MD5:76592CDB5646CE753B0A032A219CEA41
SHA256:3B0A9192AE1945357E3E2A05E20C75663BB1788554F50BD5EE7E8B93C5AD1F66
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\Aut2Exe\Aut2exe.exeexecutable
MD5:D28806A3244AF288A2E569E36DF136C4
SHA256:89AFE97DD27C3CADB96481DD38A1352BF6B98FA0206DD2D856728A47DC06F3BA
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Builder.exeexecutable
MD5:BE03C752691189795254CEBAB618C21D
SHA256:313A9D09F096B4EB2EFE37E3C0B51268F601C0C9D1CA3508F46769EC89E0594B
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\Aut2Exe\Icons\AutoIt_Old1.icoimage
MD5:30270204AF026B5874476EC41ABE3ACD
SHA256:29D40D3CB78D5FA6FAFEABDDB01296D5FEAF8E7864210F5581F1BAD50C613B32
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\AHK\AHK.ahktext
MD5:A908B151CC37C66AEAFF20D43BA0CAE0
SHA256:B032B99C88289C02388BD1DB21A3CFC34AC9AB36BC48BE5D6570AC6497F70E56
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\Aut2Exe\Icons\AutoIt_Old4.icoimage
MD5:CC38AAF8B57E428ABFE0BE7309E7735B
SHA256:23672A6B6AC69E0E5F836E52144B44667298A47F08E641D9F227D3BB6AFBECC6
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\Aut2Exe\Icons\SETUP06.ICOimage
MD5:A688105D2E3DF9769A0B8830A7510D45
SHA256:217766AE48FDFAAB3B6C6A59003BD95D92EFFBE0F8D1B58C2BBE2A2FB85D8610
2884WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2884.34077\Revenge-RAT v3 - NYANxCAT\Extensions\Aut2Exe\Icons\AutoIt_Main_v9_48x48_256.icoimage
MD5:A87C314DD8B1FDE98FCA6E504F5FF8A0
SHA256:C43AD7216D3F7553AE87A03F23D3BE0D6F9C5212E5DCE3D38B8E8A433A549DCA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info