Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-03-2024 23:36
Static task
static1
Behavioral task
behavioral1
Sample
c465c388ef101ec4d45302c1b0435f93.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c465c388ef101ec4d45302c1b0435f93.exe
Resource
win10v2004-20240226-en
General
-
Target
c465c388ef101ec4d45302c1b0435f93.exe
-
Size
542KB
-
MD5
c465c388ef101ec4d45302c1b0435f93
-
SHA1
9dde3f1ebb22a7281eab77e1e607859cad5b7dce
-
SHA256
13dee39e15fa3d83d5c6523922092eabb0b281feee69421821a2bf5ba0d14351
-
SHA512
37edc9b8e8d0cf6f44475845089b6a1844c5ae9c3512cbbadd58069e03f0c0028df4ee06c0405f4ae682d8909b5b840248b515e6aa476a8c695452d3571007bb
-
SSDEEP
12288:oxxIfXlJkEK/tKqCKYXSrDI6DY4EwmGAr4YlzY4ZJEk/wrGEYXl5gvysgfBnnl2b:o7Ehwy5gvysgpnncb
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe revengerat -
Executes dropped EXE 1 IoCs
Processes:
ocs_v6w.exepid process 2476 ocs_v6w.exe -
Loads dropped DLL 2 IoCs
Processes:
c465c388ef101ec4d45302c1b0435f93.exepid process 2992 c465c388ef101ec4d45302c1b0435f93.exe 2992 c465c388ef101ec4d45302c1b0435f93.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
c465c388ef101ec4d45302c1b0435f93.exeocs_v6w.exepid process 2992 c465c388ef101ec4d45302c1b0435f93.exe 2476 ocs_v6w.exe 2476 ocs_v6w.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c465c388ef101ec4d45302c1b0435f93.exedescription pid process target process PID 2992 wrote to memory of 2476 2992 c465c388ef101ec4d45302c1b0435f93.exe ocs_v6w.exe PID 2992 wrote to memory of 2476 2992 c465c388ef101ec4d45302c1b0435f93.exe ocs_v6w.exe PID 2992 wrote to memory of 2476 2992 c465c388ef101ec4d45302c1b0435f93.exe ocs_v6w.exe PID 2992 wrote to memory of 2476 2992 c465c388ef101ec4d45302c1b0435f93.exe ocs_v6w.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -FFpt -proxtubede -c007e13f3f4641ab92c8b24e3fe3222a - - -apnbiywblivcnmgs2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OCS\apnbiywblivcnmgs.datFilesize
899B
MD5105d7cdf5bfed8bb2722dc4fbfe1fa60
SHA1966f4abe94a78efe5ed790f662275f82d3ad0ab5
SHA25613376ce26ebb485a1e961e27f4cb8e3e9233bbe3d34373b88b9161b789bb4297
SHA512d5b88c76f8752142664c003d2c789fea8d4d2e41546b331889df2888064fb8d7b11fd2ce66110954c68c568dd523283a94ef3bf50643433d4743e32565bd3bf6
-
\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exeFilesize
288KB
MD5bf3d279766c65e104ac350f9341b7598
SHA1a2c2496b99f467c8afdf1e55e2b546c6b03d878b
SHA256a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381
SHA512d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa
-
memory/2476-12-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmpFilesize
9.6MB
-
memory/2476-13-0x0000000000AF0000-0x0000000000B70000-memory.dmpFilesize
512KB
-
memory/2476-14-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmpFilesize
9.6MB
-
memory/2476-16-0x0000000000AF0000-0x0000000000B70000-memory.dmpFilesize
512KB
-
memory/2476-17-0x0000000000AF0000-0x0000000000B70000-memory.dmpFilesize
512KB
-
memory/2476-18-0x0000000000AF0000-0x0000000000B70000-memory.dmpFilesize
512KB
-
memory/2476-19-0x0000000000AF0000-0x0000000000B70000-memory.dmpFilesize
512KB
-
memory/2476-20-0x0000000000AF0000-0x0000000000B70000-memory.dmpFilesize
512KB
-
memory/2476-21-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmpFilesize
9.6MB