Malware Analysis Report

2024-10-23 21:29

Sample ID 240305-b5gtaaah2t
Target b37485bf19f9e5c3e33d6a02c8cd80c6
SHA256 0540ea185c7bbc7adb63ed03f5b3578b0fdb04b2e9fc7d584f3f7ae415fc886a
Tags
revengerat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0540ea185c7bbc7adb63ed03f5b3578b0fdb04b2e9fc7d584f3f7ae415fc886a

Threat Level: Known bad

The file b37485bf19f9e5c3e33d6a02c8cd80c6 was found to be: Known bad.

Malicious Activity Summary

revengerat stealer trojan

RevengeRAT

RevengeRat Executable

Executes dropped EXE

Loads dropped DLL

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-05 01:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 01:43

Reported

2024-03-05 01:46

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b37485bf19f9e5c3e33d6a02c8cd80c6.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b37485bf19f9e5c3e33d6a02c8cd80c6.exe

"C:\Users\Admin\AppData\Local\Temp\b37485bf19f9e5c3e33d6a02c8cd80c6.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe -install -54401170 -chipde -7ea49ac586bf4240ac2459c190356a5f - -ChromeBundle -ipqodezgzdyffrxv -393504

Network

Country Destination Domain Proto
US 8.8.8.8:53 thinklabs-ltd.de udp
DE 176.9.175.237:80 thinklabs-ltd.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
DE 176.9.175.234:443 bin.download-sponsor.de tcp

Files

\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe

MD5 ad68076fb58a634cba05c9396b0f20af
SHA1 dabc08bdf0203f5946101a0eea51d494e87f67b9
SHA256 dc712ebab17c0bf8d73a1c5b5b3b053fd1e665a2d6ad21eb5a9b34da6e844a5a
SHA512 be7f294cd4835353ab121a2de655f4a99718096f078713bd1bc8c2d2a847937bafe6853b13bb7c41178f1b33aeacf3af3d13b80f1494cca4489472458a1b63ba

memory/2308-12-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\ipqodezgzdyffrxv.dat

MD5 fa628e4a19586d96c487b7de93837561
SHA1 e826cf9340b79b64aad3a63d56d0908142144bf5
SHA256 14c0ea261dc6e5b7fa0afca74f4b44574dcc308184c350a347f2e3dabb109844
SHA512 0b44050f41383b2d0ae93629af83ff532efed4928ae60a0cca2c80f141572c4e46f66baf68f8ef4d5fb83af2626974f13d895d16456da251c7366ebfc3804367

memory/2308-14-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/2308-15-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

memory/2308-16-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/2308-17-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/2308-18-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/2308-19-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/2308-20-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/2308-21-0x00000000020B0000-0x0000000002130000-memory.dmp

memory/2308-22-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 01:43

Reported

2024-03-05 01:46

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b37485bf19f9e5c3e33d6a02c8cd80c6.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b37485bf19f9e5c3e33d6a02c8cd80c6.exe

"C:\Users\Admin\AppData\Local\Temp\b37485bf19f9e5c3e33d6a02c8cd80c6.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe -install -54401170 -chipde -7ea49ac586bf4240ac2459c190356a5f - -ChromeBundle -quvomeuluuwzdasy -197060

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 thinklabs-ltd.de udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
DE 176.9.175.237:80 thinklabs-ltd.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
DE 176.9.175.234:443 bin.download-sponsor.de tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 234.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71.exe

MD5 ad68076fb58a634cba05c9396b0f20af
SHA1 dabc08bdf0203f5946101a0eea51d494e87f67b9
SHA256 dc712ebab17c0bf8d73a1c5b5b3b053fd1e665a2d6ad21eb5a9b34da6e844a5a
SHA512 be7f294cd4835353ab121a2de655f4a99718096f078713bd1bc8c2d2a847937bafe6853b13bb7c41178f1b33aeacf3af3d13b80f1494cca4489472458a1b63ba

memory/8-8-0x00007FFDE7950000-0x00007FFDE82F1000-memory.dmp

memory/8-9-0x000000001BC30000-0x000000001C0FE000-memory.dmp

memory/8-10-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/8-11-0x000000001B670000-0x000000001B716000-memory.dmp

memory/8-12-0x000000001C1A0000-0x000000001C23C000-memory.dmp

memory/8-13-0x00007FFDE7950000-0x00007FFDE82F1000-memory.dmp

memory/8-14-0x0000000001090000-0x0000000001098000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\quvomeuluuwzdasy.dat

MD5 fa628e4a19586d96c487b7de93837561
SHA1 e826cf9340b79b64aad3a63d56d0908142144bf5
SHA256 14c0ea261dc6e5b7fa0afca74f4b44574dcc308184c350a347f2e3dabb109844
SHA512 0b44050f41383b2d0ae93629af83ff532efed4928ae60a0cca2c80f141572c4e46f66baf68f8ef4d5fb83af2626974f13d895d16456da251c7366ebfc3804367

memory/8-16-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/8-17-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/8-18-0x0000000000CC0000-0x0000000000CD0000-memory.dmp

memory/8-20-0x00007FFDE7950000-0x00007FFDE82F1000-memory.dmp