2020-01-15 - QUICK POST: MALSPAM PUSHING REVENGE RAT
ASSOCIATED FILES:
- 2020-01-15-RevengeRAT-infection-traffic.pcap.zip kB (555,426 bytes)
- 2020-01-15-RevengeRAT-infection-traffic.pcap (661,632 bytes)
- 2020-01-15-malware-and-artifacts-from-RevengeRAT-infection.zip kB (449,087 bytes)
- 2020-01-15-C-Users-bfett-AppData-Roaming-efinhodabumbum.vbs.txt (9,028 bytes)
- 2020-01-15-XLS-attachment-with-macro-for-Revenge-RAT.bin (229,376 bytes)
- 2020-01-15-malspam-pushing-RevengeRAT.eml (316,582 bytes)
- 2020-01-15-p_1472t0ztm1.jpg-from-a.top4top.io.txt (178,634 bytes)
- 2020-01-15-p_14754cwzr1-from-h.top4top.io.txt (9,028 bytes)
- 2020-01-15-p_1475rf4dz1.jpg-from-e.top4top.io.txt (316,417 bytes)
- 2020-01-15-registry-update-for-RevengeRAT.txt (590 bytes)
NOTES:
- Zip archives are password-protected with the standard password. If you don't know it, see the "about" page of this website.
- The attached spreadsheet was submitted to the Any.Run sandbox, so I could easily see the HTTPS URLs in the traffic (link).
IMAGES
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: TCP stream from the RevengeRAT callback traffic.
Click here to return to the main page.