Malware Analysis Report

2024-10-23 21:29

Sample ID 240312-3lv1cagc29
Target c465c388ef101ec4d45302c1b0435f93
SHA256 13dee39e15fa3d83d5c6523922092eabb0b281feee69421821a2bf5ba0d14351
Tags
revengerat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13dee39e15fa3d83d5c6523922092eabb0b281feee69421821a2bf5ba0d14351

Threat Level: Known bad

The file c465c388ef101ec4d45302c1b0435f93 was found to be: Known bad.

Malicious Activity Summary

revengerat stealer trojan

RevengeRAT

RevengeRat Executable

Executes dropped EXE

Loads dropped DLL

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-03-12 23:36

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 23:36

Reported

2024-03-12 23:39

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe

"C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -FFpt -proxtubede -c007e13f3f4641ab92c8b24e3fe3222a - - -ffuyqaojhotnuibe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 80.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 www.download-sponsor.de udp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 237.175.9.176.in-addr.arpa udp
DE 176.9.175.234:80 bin.download-sponsor.de tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 234.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
GB 96.17.178.174:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

MD5 bf3d279766c65e104ac350f9341b7598
SHA1 a2c2496b99f467c8afdf1e55e2b546c6b03d878b
SHA256 a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381
SHA512 d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa

memory/4076-8-0x000000001B5C0000-0x000000001BA8E000-memory.dmp

memory/4076-10-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp

memory/4076-9-0x000000001AFF0000-0x000000001B096000-memory.dmp

memory/4076-12-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/4076-11-0x000000001BB30000-0x000000001BBCC000-memory.dmp

memory/4076-13-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp

memory/4076-14-0x00000000009C0000-0x00000000009C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\ffuyqaojhotnuibe.dat

MD5 105d7cdf5bfed8bb2722dc4fbfe1fa60
SHA1 966f4abe94a78efe5ed790f662275f82d3ad0ab5
SHA256 13376ce26ebb485a1e961e27f4cb8e3e9233bbe3d34373b88b9161b789bb4297
SHA512 d5b88c76f8752142664c003d2c789fea8d4d2e41546b331889df2888064fb8d7b11fd2ce66110954c68c568dd523283a94ef3bf50643433d4743e32565bd3bf6

memory/4076-16-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/4076-17-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/4076-18-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/4076-19-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/4076-20-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/4076-21-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp

memory/4076-23-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 23:36

Reported

2024-03-12 23:39

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"

Signatures

RevengeRAT

trojan revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe

"C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -FFpt -proxtubede -c007e13f3f4641ab92c8b24e3fe3222a - - -apnbiywblivcnmgs

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.download-sponsor.de udp
DE 176.9.175.237:80 www.download-sponsor.de tcp
US 8.8.8.8:53 bin.download-sponsor.de udp
DE 176.9.175.234:80 bin.download-sponsor.de tcp

Files

\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

MD5 bf3d279766c65e104ac350f9341b7598
SHA1 a2c2496b99f467c8afdf1e55e2b546c6b03d878b
SHA256 a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381
SHA512 d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa

memory/2476-12-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

memory/2476-13-0x0000000000AF0000-0x0000000000B70000-memory.dmp

memory/2476-14-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\apnbiywblivcnmgs.dat

MD5 105d7cdf5bfed8bb2722dc4fbfe1fa60
SHA1 966f4abe94a78efe5ed790f662275f82d3ad0ab5
SHA256 13376ce26ebb485a1e961e27f4cb8e3e9233bbe3d34373b88b9161b789bb4297
SHA512 d5b88c76f8752142664c003d2c789fea8d4d2e41546b331889df2888064fb8d7b11fd2ce66110954c68c568dd523283a94ef3bf50643433d4743e32565bd3bf6

memory/2476-16-0x0000000000AF0000-0x0000000000B70000-memory.dmp

memory/2476-17-0x0000000000AF0000-0x0000000000B70000-memory.dmp

memory/2476-18-0x0000000000AF0000-0x0000000000B70000-memory.dmp

memory/2476-19-0x0000000000AF0000-0x0000000000B70000-memory.dmp

memory/2476-20-0x0000000000AF0000-0x0000000000B70000-memory.dmp

memory/2476-21-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp