revengerat | d448dd127cdf0a2ebbf5d0eb75a6c575d35ad9063b90f5954ef5d8920167d01d

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe
Size

542KB
MD5

1cf62a27a2c8e2cbb12b5b49ddb83436
SHA1

7a33bbe4825898c301cb2fb3a6695c2c96639e56
SHA256

d448dd127cdf0a2ebbf5d0eb75a6c575d35ad9063b90f5954ef5d8920167d01d
SHA512

abe514cda6a7ca884ffc64f12120101d30189c66d7dda031f0c10cbfcaa9bd6e9add2cb18cd3944d11b1072b2f8a7e34a31feca0489682140633285feb9cf6dd
SSDEEP

12288:lZqvGfXlJkEK/tKqCKYXSrDI6DY4EwmGAr4YlzY4ZJEk/wrGEYXl5gvysgfBnnl6:l4v5Ehwy5gvysgpnnc5

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000016d67-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2004	ocs_v6w.exe

Loads dropped DLL 2 IoCs

pid	Process
2520	1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe
2520	1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2520	1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe
2004	ocs_v6w.exe
2004	ocs_v6w.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2004	2520	1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2004	2520	1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2004	2520	1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe	30
PID 2520 wrote to memory of 2004	2520	1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cf62a27a2c8e2cbb12b5b49ddb83436_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe -install -23218 -netzwelt -2a17c53a94f8440d8b2db25fdfe912ef - - -sofcupnesoulerfx
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\sofcupnesoulerfx.dat

Filesize
25B

MD5
0a3f15c0799a6131415052bca7a1240f

SHA1
55db59d7918eb56a8f0619c18abea844d8d1ac20

SHA256
b195bce571a284d6402cd66e09cfcd82f09e15e28c997205ee3cc6fde87cff59

SHA512
b5762f1f2d27d488ee445cf9d3354e297ea2502849cb6453bc5a766932bd9953b33c77690bad2d38d1c4043ce752063ca1722760f355373091eabafe3eb1bd81

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v6w.exe

Filesize
288KB

MD5
bf3d279766c65e104ac350f9341b7598

SHA1
a2c2496b99f467c8afdf1e55e2b546c6b03d878b

SHA256
a1c75633ae245c8b4e96558fa24413e6c209822086ea956f17b0d7ed9a74c381

SHA512
d6a831ae3c823a00f6beff707bb4935401ee38c96ef4c2deaf6925fd2d60a30dc34a026e8b6d4939449ac912821254754e9d0ffab62083b3446ad2b76f8a31fa

Download Submit
memory/2004-19-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-20-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-13-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-16-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-17-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-18-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-12-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

Filesize
4KB

Download
memory/2004-14-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-21-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-22-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-23-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-24-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

Filesize
4KB

Download
memory/2004-25-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/2004-26-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download