revengerat | 119ef84f802be391316b0e472c8f819a3cd2f7fd751b754bb45f370f35209748

Analysis

max time kernel
137s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85a0122c26928f1f588472f605cc54e5_JaffaCakes118.exe
Size

600KB
MD5

85a0122c26928f1f588472f605cc54e5
SHA1

b7b4f2c36a8327b73aa74ac7ad77d973e8e8206e
SHA256

119ef84f802be391316b0e472c8f819a3cd2f7fd751b754bb45f370f35209748
SHA512

e79ecc8229b267f1a75d41c182f3d1405e16946215ceb7daaec4f1676a0d0430cd6834e4ca7d74d76d2623616665523cb8014da1b322b4827b2dd8ec8e599aed
SSDEEP

12288:57lw1DxHpifX9IiyO9KWz3d7ysgfBnnl2w5:57m1Dw3yO9KWz3lysgpnncs

Score

10^/10

revengerat stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023429-6.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2696	ocs_v7f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	ocs_v7f.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4928	85a0122c26928f1f588472f605cc54e5_JaffaCakes118.exe
2696	ocs_v7f.exe
2696	ocs_v7f.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2696	4928	85a0122c26928f1f588472f605cc54e5_JaffaCakes118.exe	83
PID 4928 wrote to memory of 2696	4928	85a0122c26928f1f588472f605cc54e5_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\85a0122c26928f1f588472f605cc54e5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85a0122c26928f1f588472f605cc54e5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7f.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7f.exe -install -54389457 -chipde -68bf03d9e7114775830ee28bf2eb6a83 - -ABdetected -bfhwimpsrxfstxun -458834
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\bfhwimpsrxfstxun.dat

Filesize
81B

MD5
fcc1d62600f274b321807e7cafd7d36b

SHA1
2bff99acad7dbbcc8d8d7b4ded597f97e4eb2567

SHA256
004b04024447fa6de4ed90a359261029e74d00b21302f8557bd307cdf2bd018e

SHA512
4e8eae951d69999d34400c7c1f6d6fd58f7f234e78e890382725f393cd11ee37a24d568689ed5ac49b969d7cf893c8105e0256c00bb8c582584a60d379c31a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v7f.exe

Filesize
288KB

MD5
ea3ccd42dbdc3500e3888daf53d8ef5d

SHA1
848c686280eaa04b172fccffbd312132a0c46172

SHA256
cd166eede0e0e5303fc3f5fe5f0dd44999020f116bde2adea15319cc214751b5

SHA512
7126ec10c2301354f32f3f813958c61eaef63fe946b804ebd6f5934068b344ab75857886d867373f7a2ccf47f18a5a0f1dbe652e9649963a9fdea2b3de6dba50

Download Submit
memory/2696-13-0x00007FFA2B2B0000-0x00007FFA2BC51000-memory.dmp

Filesize
9.6MB

Download
memory/2696-10-0x000000001BC20000-0x000000001BCC6000-memory.dmp

Filesize
664KB

Download
memory/2696-12-0x000000001BD70000-0x000000001BE0C000-memory.dmp

Filesize
624KB

Download
memory/2696-11-0x00007FFA2B2B0000-0x00007FFA2BC51000-memory.dmp

Filesize
9.6MB

Download
memory/2696-9-0x000000001B750000-0x000000001BC1E000-memory.dmp

Filesize
4.8MB

Download
memory/2696-14-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2696-8-0x00007FFA2B565000-0x00007FFA2B566000-memory.dmp

Filesize
4KB

Download
memory/2696-16-0x00007FFA2B2B0000-0x00007FFA2BC51000-memory.dmp

Filesize
9.6MB

Download
memory/2696-17-0x00007FFA2B2B0000-0x00007FFA2BC51000-memory.dmp

Filesize
9.6MB

Download
memory/2696-18-0x00007FFA2B2B0000-0x00007FFA2BC51000-memory.dmp

Filesize
9.6MB

Download
memory/2696-19-0x00007FFA2B2B0000-0x00007FFA2BC51000-memory.dmp

Filesize
9.6MB

Download
memory/2696-20-0x00007FFA2B2B0000-0x00007FFA2BC51000-memory.dmp

Filesize
9.6MB

Download
memory/2696-22-0x00007FFA2B2B0000-0x00007FFA2BC51000-memory.dmp

Filesize
9.6MB

Download