revengerat | 13dee39e15fa3d83d5c6523922092eabb0b281feee69421821a2bf5ba0d14351

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c465c388ef101ec4d45302c1b0435f93.exe
Size

542KB
MD5

c465c388ef101ec4d45302c1b0435f93
SHA1

9dde3f1ebb22a7281eab77e1e607859cad5b7dce
SHA256

13dee39e15fa3d83d5c6523922092eabb0b281feee69421821a2bf5ba0d14351
SHA512

37edc9b8e8d0cf6f44475845089b6a1844c5ae9c3512cbbadd58069e03f0c0028df4ee06c0405f4ae682d8909b5b840248b515e6aa476a8c695452d3571007bb
SSDEEP

12288:oxxIfXlJkEK/tKqCKYXSrDI6DY4EwmGAr4YlzY4ZJEk/wrGEYXl5gvysgfBnnl2b:o7Ehwy5gvysgpnncb

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe	revengerat

Executes dropped EXE 1 IoCs

Processes:

ocs_v6w.exe

pid process

4076 ocs_v6w.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ocs_v6w.exe

description pid process

Token: SeDebugPrivilege 4076 ocs_v6w.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

c465c388ef101ec4d45302c1b0435f93.exeocs_v6w.exe

pid process

4164 c465c388ef101ec4d45302c1b0435f93.exe
4076 ocs_v6w.exe
4076 ocs_v6w.exe

pid	process
4076	ocs_v6w.exe

description	pid	process
Token: SeDebugPrivilege	4076	ocs_v6w.exe

pid	process
4164	c465c388ef101ec4d45302c1b0435f93.exe
4076	ocs_v6w.exe
4076	ocs_v6w.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

c465c388ef101ec4d45302c1b0435f93.exe

description	pid	process	target process
PID 4164 wrote to memory of 4076	4164	c465c388ef101ec4d45302c1b0435f93.exe	ocs_v6w.exe
PID 4164 wrote to memory of 4076	4164	c465c388ef101ec4d45302c1b0435f93.exe	ocs_v6w.exe

C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe
"C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -FFpt -proxtubede -c007e13f3f4641ab92c8b24e3fe3222a - - -ffuyqaojhotnuibe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\ffuyqaojhotnuibe.dat
Filesize
899B

MD5
105d7cdf5bfed8bb2722dc4fbfe1fa60

SHA1
966f4abe94a78efe5ed790f662275f82d3ad0ab5

SHA256
13376ce26ebb485a1e961e27f4cb8e3e9233bbe3d34373b88b9161b789bb4297

SHA512
d5b88c76f8752142664c003d2c789fea8d4d2e41546b331889df2888064fb8d7b11fd2ce66110954c68c568dd523283a94ef3bf50643433d4743e32565bd3bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
Filesize
288KB

MD5
bf3d279766c65e104ac350f9341b7598

SHA1
a2c2496b99f467c8afdf1e55e2b546c6b03d878b

SHA256
a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381

SHA512
d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa

Download Submit
memory/4076-12-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/4076-16-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/4076-10-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp

Filesize
9.6MB

Download
memory/4076-11-0x000000001BB30000-0x000000001BBCC000-memory.dmp

Filesize
624KB

Download
memory/4076-13-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp

Filesize
9.6MB

Download
memory/4076-14-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/4076-8-0x000000001B5C0000-0x000000001BA8E000-memory.dmp

Filesize
4.8MB

Download
memory/4076-9-0x000000001AFF0000-0x000000001B096000-memory.dmp

Filesize
664KB

Download
memory/4076-17-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/4076-18-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/4076-19-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/4076-20-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/4076-21-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp

Filesize
9.6MB

Download
memory/4076-23-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp

Filesize
9.6MB

Download