revengerat | 14d18ccbf2c0f1e5d4c99c3e706e9f1a9a853d3ee720a9b600147448e22b1ecd

Analysis

max time kernel
139s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d6883464307b25c817f9a36f97ca626_JaffaCakes118.exe
Size

599KB
MD5

5d6883464307b25c817f9a36f97ca626
SHA1

c16077ddb69d3a570a86c5a41c5538267c17ff0f
SHA256

14d18ccbf2c0f1e5d4c99c3e706e9f1a9a853d3ee720a9b600147448e22b1ecd
SHA512

8d340a86a50443728c536fff4a2076c8d23433007f1f3f1ce658b326cf8381e01a982a65cce2f109cf5a9c0d42727bf960052f1eb2df6dc606f334aeb17837f3
SSDEEP

6144:XKWlw1Dx1TgzK7Yi06sCxVajmzx9S9HNBLlpY4Yi0flysVufBn597NX2F:X7lw1DxhgzaY5MxVaRPKxysgfBnnl2F

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023423-6.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
4052	ocs_v8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	ocs_v8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4524	5d6883464307b25c817f9a36f97ca626_JaffaCakes118.exe
4052	ocs_v8.exe
4052	ocs_v8.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4052	4524	5d6883464307b25c817f9a36f97ca626_JaffaCakes118.exe	82
PID 4524 wrote to memory of 4052	4524	5d6883464307b25c817f9a36f97ca626_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\5d6883464307b25c817f9a36f97ca626_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d6883464307b25c817f9a36f97ca626_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe -install -54474105 -chipde -02ea0a5f44e94a859e8d6c08d7989357 - -ChromeBundle -kuqpuyowfkgvpsft -524570
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\kuqpuyowfkgvpsft.dat

Filesize
83B

MD5
0a139d93ddc2a474772392e6f50ef6f5

SHA1
a301d3cd82496920f68a585d58862f38a5be67a4

SHA256
0246cfdf76a7c9bf986941df9d68a7dfbdbdd559881e3bb24c9683d2a132e7f0

SHA512
13187b2a7a6ed25b545fc0a53692502f402f1f643867615be3111e4f9f88ee8e0823462e1b1e123a6507bb75d20a13247eab01e0177aa53d0d8f0c35d46fbace

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe

Filesize
288KB

MD5
f1ac19e315094f6cd302aaa8d47a1890

SHA1
7fd3db54264a63c00b3b3894b8f9c76e86215068

SHA256
1629b563d90ab134bf38804f489724ed3c6047817ff673b82979444e84c99e9d

SHA512
dcdfae6c6568170cfda31f247a9c0a322d924164c79328cdc8e2334c1569436fae34d31e5b78755505529b1aac9cc83f7c7ea38f73eb6e08c076c5c9c9e7b11a

Download Submit
memory/4052-13-0x00007FFA58C30000-0x00007FFA595D1000-memory.dmp

Filesize
9.6MB

Download
memory/4052-10-0x00007FFA58C30000-0x00007FFA595D1000-memory.dmp

Filesize
9.6MB

Download
memory/4052-11-0x000000001BCC0000-0x000000001BD66000-memory.dmp

Filesize
664KB

Download
memory/4052-12-0x000000001C820000-0x000000001C8BC000-memory.dmp

Filesize
624KB

Download
memory/4052-9-0x000000001C290000-0x000000001C75E000-memory.dmp

Filesize
4.8MB

Download
memory/4052-14-0x000000001BD70000-0x000000001BD78000-memory.dmp

Filesize
32KB

Download
memory/4052-8-0x00007FFA58EE5000-0x00007FFA58EE6000-memory.dmp

Filesize
4KB

Download
memory/4052-16-0x00007FFA58C30000-0x00007FFA595D1000-memory.dmp

Filesize
9.6MB

Download
memory/4052-17-0x00007FFA58C30000-0x00007FFA595D1000-memory.dmp

Filesize
9.6MB

Download
memory/4052-18-0x00007FFA58C30000-0x00007FFA595D1000-memory.dmp

Filesize
9.6MB

Download
memory/4052-19-0x00007FFA58C30000-0x00007FFA595D1000-memory.dmp

Filesize
9.6MB

Download
memory/4052-20-0x00007FFA58C30000-0x00007FFA595D1000-memory.dmp

Filesize
9.6MB

Download
memory/4052-22-0x00007FFA58C30000-0x00007FFA595D1000-memory.dmp

Filesize
9.6MB

Download