revengerat | 16ad6580e3df177aa5c7bdb0a009e630e13800f98f97e9138b384d2f88f5280e

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe
Size

566KB
MD5

fa5db355d930b96f0e8a17a16eb995a4
SHA1

c1fd477689b7769dd54460a141001d4a7cfe6ad9
SHA256

16ad6580e3df177aa5c7bdb0a009e630e13800f98f97e9138b384d2f88f5280e
SHA512

5095f61c153da5fcf9158013dfe6b9f9c58b6d7b64f08c2aba385148f22d2cfc1214933882c5a74ec882201f9b5674b067a4483ff2bf19f268938ba210c11ea3
SSDEEP

6144:tKbsiJAXfCElJk12MetPHNaP+HI9ygY0bPmAHw4HFfEysVufBn597NX2L:tDAAXfXlJkEMYNaGU/jQysgfBnnl2L

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/files/0x0007000000015d48-5.dat	revengerat

Executes dropped EXE 1 IoCs

Processes:

ocs_v6y.exe

pid	Process
1708	ocs_v6y.exe

Loads dropped DLL 2 IoCs

Processes:

fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe

pid	Process
1836	fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe
1836	fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exeocs_v6y.exe

pid	Process
1836	fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe
1708	ocs_v6y.exe
1708	ocs_v6y.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1836 wrote to memory of 1708	1836	fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe	30
PID 1836 wrote to memory of 1708	1836	fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe	30
PID 1836 wrote to memory of 1708	1836	fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe	30
PID 1836 wrote to memory of 1708	1836	fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa5db355d930b96f0e8a17a16eb995a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6y.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6y.exe -install -228273 -dcu -c07f7b6842d1455f83f41b817891625a - -hu -pkidnrrvjouhavom
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\pkidnrrvjouhavom.dat

Filesize
91B

MD5
25678888b10c3e4d58de707877dbd5aa

SHA1
ed057f1111b2c19bb40fa1a1bedfed8d967bc1c9

SHA256
d51a6a1f606837337ab6c3b8f86e2d023ff75e0d527c3d470c79dd5661d07ffd

SHA512
22a5e64c61268c47852f96257f9e552c0dc880701c80feb7cf5594d413655f13597ce825d3e9f7ed97c21c70c7a6e1dfec7758e4ae0e561bdd4f699f14be3531

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v6y.exe

Filesize
312KB

MD5
e4453576e0680ca18e0cfd2ffad226b0

SHA1
988e557e6896f2607b38de46886057f285bf1904

SHA256
5c3d2ddc13f7852d5c055cc4c719c5a64522cb04fa7eee730856fc3d5f40b0d4

SHA512
9329109c69e1ff0cc486a6d14aa88b3e2092867fd943e6083c5f674479e3cf58fd60a0782e1d2623f4b40a76d5ff280f1252c894591bb0790686e08eecf7aa8a

Download Submit
memory/1708-21-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-20-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-13-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-16-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-17-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-22-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-12-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/1708-14-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-19-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-18-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-23-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-24-0x000007FEF558E000-0x000007FEF558F000-memory.dmp

Filesize
4KB

Download
memory/1708-25-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/1708-26-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download