Analysis Overview
SHA256
13dee39e15fa3d83d5c6523922092eabb0b281feee69421821a2bf5ba0d14351
Threat Level: Known bad
The file c465c388ef101ec4d45302c1b0435f93 was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
RevengeRat Executable
Executes dropped EXE
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-03-12 23:36
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 23:36
Reported
2024-03-12 23:39
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4164 wrote to memory of 4076 | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
| PID 4164 wrote to memory of 4076 | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe
"C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -FFpt -proxtubede -c007e13f3f4641ab92c8b24e3fe3222a - - -ffuyqaojhotnuibe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | bin.download-sponsor.de | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.175.9.176.in-addr.arpa | udp |
| DE | 176.9.175.234:80 | bin.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.175.9.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
| MD5 | bf3d279766c65e104ac350f9341b7598 |
| SHA1 | a2c2496b99f467c8afdf1e55e2b546c6b03d878b |
| SHA256 | a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381 |
| SHA512 | d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa |
memory/4076-8-0x000000001B5C0000-0x000000001BA8E000-memory.dmp
memory/4076-10-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp
memory/4076-9-0x000000001AFF0000-0x000000001B096000-memory.dmp
memory/4076-12-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/4076-11-0x000000001BB30000-0x000000001BBCC000-memory.dmp
memory/4076-13-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp
memory/4076-14-0x00000000009C0000-0x00000000009C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\ffuyqaojhotnuibe.dat
| MD5 | 105d7cdf5bfed8bb2722dc4fbfe1fa60 |
| SHA1 | 966f4abe94a78efe5ed790f662275f82d3ad0ab5 |
| SHA256 | 13376ce26ebb485a1e961e27f4cb8e3e9233bbe3d34373b88b9161b789bb4297 |
| SHA512 | d5b88c76f8752142664c003d2c789fea8d4d2e41546b331889df2888064fb8d7b11fd2ce66110954c68c568dd523283a94ef3bf50643433d4743e32565bd3bf6 |
memory/4076-16-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/4076-17-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/4076-18-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/4076-19-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/4076-20-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/4076-21-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp
memory/4076-23-0x00007FF8E4EB0000-0x00007FF8E5851000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 23:36
Reported
2024-03-12 23:39
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
RevengeRAT
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2992 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
| PID 2992 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
| PID 2992 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
| PID 2992 wrote to memory of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe
"C:\Users\Admin\AppData\Local\Temp\c465c388ef101ec4d45302c1b0435f93.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -FFpt -proxtubede -c007e13f3f4641ab92c8b24e3fe3222a - - -apnbiywblivcnmgs
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.download-sponsor.de | udp |
| DE | 176.9.175.237:80 | www.download-sponsor.de | tcp |
| US | 8.8.8.8:53 | bin.download-sponsor.de | udp |
| DE | 176.9.175.234:80 | bin.download-sponsor.de | tcp |
Files
\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
| MD5 | bf3d279766c65e104ac350f9341b7598 |
| SHA1 | a2c2496b99f467c8afdf1e55e2b546c6b03d878b |
| SHA256 | a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381 |
| SHA512 | d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa |
memory/2476-12-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp
memory/2476-13-0x0000000000AF0000-0x0000000000B70000-memory.dmp
memory/2476-14-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\apnbiywblivcnmgs.dat
| MD5 | 105d7cdf5bfed8bb2722dc4fbfe1fa60 |
| SHA1 | 966f4abe94a78efe5ed790f662275f82d3ad0ab5 |
| SHA256 | 13376ce26ebb485a1e961e27f4cb8e3e9233bbe3d34373b88b9161b789bb4297 |
| SHA512 | d5b88c76f8752142664c003d2c789fea8d4d2e41546b331889df2888064fb8d7b11fd2ce66110954c68c568dd523283a94ef3bf50643433d4743e32565bd3bf6 |
memory/2476-16-0x0000000000AF0000-0x0000000000B70000-memory.dmp
memory/2476-17-0x0000000000AF0000-0x0000000000B70000-memory.dmp
memory/2476-18-0x0000000000AF0000-0x0000000000B70000-memory.dmp
memory/2476-19-0x0000000000AF0000-0x0000000000B70000-memory.dmp
memory/2476-20-0x0000000000AF0000-0x0000000000B70000-memory.dmp
memory/2476-21-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp