Malware Analysis Report

2024-10-23 21:29

Sample ID 240311-fgm3lscc95
Target bfe379cfb4a3ee35c15e6012303f3259
SHA256 14e2f34e9487e56e9efa7a536ab144adb5ddd01b9f6ce295545f83fa9a334dcc
Tags
revengerat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14e2f34e9487e56e9efa7a536ab144adb5ddd01b9f6ce295545f83fa9a334dcc

Threat Level: Known bad

The file bfe379cfb4a3ee35c15e6012303f3259 was found to be: Known bad.

Malicious Activity Summary

revengerat stealer trojan

RevengeRAT

RevengeRat Executable

Executes dropped EXE

Loads dropped DLL

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-11 04:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 04:50

Reported

2024-03-11 04:53

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfe379cfb4a3ee35c15e6012303f3259.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\bfe379cfb4a3ee35c15e6012303f3259.exe

"C:\Users\Admin\AppData\Local\Temp\bfe379cfb4a3ee35c15e6012303f3259.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe -install -54383364 -chipde -e5a2ae1362a94a3f85699f2e070ce979 - -BLUB2 -nrgwrfucyahhjyar -328184

Network

Country Destination Domain Proto
US 8.8.8.8:53 thinklabs-ltd.de udp
DE 176.9.175.237:80 thinklabs-ltd.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
DE 176.9.175.234:443 bin.download-sponsor.de tcp

Files

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe

MD5 7b3b5db5fdd271811f9f22d52ee36e9d
SHA1 dae3b80a567aa739fa54d4c896a2cfe0f9718180
SHA256 c5e83f41df5b4158994a29122874c3ff26d5e5877eb9a1dc109693d8ea41cea2
SHA512 91ae6be31c599344f44fc5decd2d51f7ff2e86da53089c8f5a821c71853c0603e613c2455eedbf55970bda34e2f74547105b27d53dfdf5c47b81e648cdc3ced2

memory/1776-12-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

memory/1776-13-0x0000000001EC0000-0x0000000001F40000-memory.dmp

memory/1776-14-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\nrgwrfucyahhjyar.dat

MD5 c5cbbc160a47cca8176daf147c4e4013
SHA1 5e62f13d809d5496e52784486e9dc99404410d41
SHA256 286bf920a94d093210c92bda1a8b1036992714d9aa434497e3f50f9cb70276fa
SHA512 c1f8a9cd10e111d89aff0687febb1bb9658d9e06482c5b5d6794986fc315038d1dea3ce987522cd0ed937d06bbd42b6cc4a09b6e3b7c325abae6fe93cb63f114

memory/1776-16-0x0000000001EC0000-0x0000000001F40000-memory.dmp

memory/1776-17-0x0000000001EC0000-0x0000000001F40000-memory.dmp

memory/1776-18-0x0000000001EC0000-0x0000000001F40000-memory.dmp

memory/1776-19-0x000007FEF5770000-0x000007FEF610D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 04:50

Reported

2024-03-11 04:53

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfe379cfb4a3ee35c15e6012303f3259.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bfe379cfb4a3ee35c15e6012303f3259.exe

"C:\Users\Admin\AppData\Local\Temp\bfe379cfb4a3ee35c15e6012303f3259.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe -install -54383364 -chipde -e5a2ae1362a94a3f85699f2e070ce979 - -BLUB2 -vcgcgujqpgtexmrz -262508

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 thinklabs-ltd.de udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 176.9.175.237:80 thinklabs-ltd.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 237.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 176.9.175.234:443 bin.download-sponsor.de tcp
US 8.8.8.8:53 234.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
GB 96.17.178.174:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe

MD5 7b3b5db5fdd271811f9f22d52ee36e9d
SHA1 dae3b80a567aa739fa54d4c896a2cfe0f9718180
SHA256 c5e83f41df5b4158994a29122874c3ff26d5e5877eb9a1dc109693d8ea41cea2
SHA512 91ae6be31c599344f44fc5decd2d51f7ff2e86da53089c8f5a821c71853c0603e613c2455eedbf55970bda34e2f74547105b27d53dfdf5c47b81e648cdc3ced2

memory/3776-8-0x000000001C0B0000-0x000000001C57E000-memory.dmp

memory/3776-9-0x00007FFBD96A0000-0x00007FFBDA041000-memory.dmp

memory/3776-10-0x0000000001800000-0x0000000001810000-memory.dmp

memory/3776-11-0x000000001C630000-0x000000001C6D6000-memory.dmp

memory/3776-12-0x00007FFBD96A0000-0x00007FFBDA041000-memory.dmp

memory/3776-13-0x000000001C780000-0x000000001C81C000-memory.dmp

memory/3776-14-0x0000000001610000-0x0000000001618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\vcgcgujqpgtexmrz.dat

MD5 c5cbbc160a47cca8176daf147c4e4013
SHA1 5e62f13d809d5496e52784486e9dc99404410d41
SHA256 286bf920a94d093210c92bda1a8b1036992714d9aa434497e3f50f9cb70276fa
SHA512 c1f8a9cd10e111d89aff0687febb1bb9658d9e06482c5b5d6794986fc315038d1dea3ce987522cd0ed937d06bbd42b6cc4a09b6e3b7c325abae6fe93cb63f114

memory/3776-16-0x0000000001800000-0x0000000001810000-memory.dmp

memory/3776-17-0x0000000001800000-0x0000000001810000-memory.dmp

memory/3776-18-0x0000000001800000-0x0000000001810000-memory.dmp

memory/3776-19-0x0000000001800000-0x0000000001810000-memory.dmp

memory/3776-20-0x0000000001800000-0x0000000001810000-memory.dmp

memory/3776-22-0x00007FFBD96A0000-0x00007FFBDA041000-memory.dmp