revengerat | bb5153cb1dc1c17397679ea865fb6b29120e2c95e5a2e346fe5cfcdc63e8c7ad

Analysis

max time kernel
91s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a37f2f45a233828e2035f91ec005f365_JaffaCakes118.exe
Size

542KB
MD5

a37f2f45a233828e2035f91ec005f365
SHA1

2b4f730eadd0436b4a00692eef4891396957b3e3
SHA256

bb5153cb1dc1c17397679ea865fb6b29120e2c95e5a2e346fe5cfcdc63e8c7ad
SHA512

dc818d52e7806c69aa592e844cf0ff0f11c8025281c62e4904f4010c6cfbda3909ebc957e27b12b6a75459cb925d8ade4a31d01525f0363cd6fe274389f80a58
SSDEEP

12288:w49XfXlJkE5sDe+RI6Inw3uAGeREkOWW2tZEkbBEkuHgAkfmerAQYgysgfBnnl20:wNE2fXYgysgpnnc0

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023cd6-6.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2552	ocs_v6u.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a37f2f45a233828e2035f91ec005f365_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	ocs_v6u.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1844	a37f2f45a233828e2035f91ec005f365_JaffaCakes118.exe
2552	ocs_v6u.exe
2552	ocs_v6u.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2552	1844	a37f2f45a233828e2035f91ec005f365_JaffaCakes118.exe	85
PID 1844 wrote to memory of 2552	1844	a37f2f45a233828e2035f91ec005f365_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\a37f2f45a233828e2035f91ec005f365_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a37f2f45a233828e2035f91ec005f365_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6u.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6u.exe -install -FFpt -proxtubede -9f6149c0b6eb42608234399359b9674f - - -rgrgwyaehksdpyyf
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6u.exe

Filesize
288KB

MD5
5449579e336a2bab36ba7eda76ff08b6

SHA1
51c88959d05e56c412807e15d03696112ba4a02a

SHA256
c8dc05bea62487bd3b930add57922a37523900d61011a827ddc8cf576b1d1445

SHA512
f0b11e6fd6dd7278c99451d0fd698fff3fbffe6528bd5361e6fc1ca78a40f1989e58be4f7cd68a9309259eb69a53630bb6b2242b731738536431b57156faa97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\rgrgwyaehksdpyyf.dat

Filesize
899B

MD5
105d7cdf5bfed8bb2722dc4fbfe1fa60

SHA1
966f4abe94a78efe5ed790f662275f82d3ad0ab5

SHA256
13376ce26ebb485a1e961e27f4cb8e3e9233bbe3d34373b88b9161b789bb4297

SHA512
d5b88c76f8752142664c003d2c789fea8d4d2e41546b331889df2888064fb8d7b11fd2ce66110954c68c568dd523283a94ef3bf50643433d4743e32565bd3bf6

Download Submit
memory/2552-17-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-18-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-11-0x000000001BF30000-0x000000001BFD6000-memory.dmp

Filesize
664KB

Download
memory/2552-12-0x000000001CAA0000-0x000000001CB3C000-memory.dmp

Filesize
624KB

Download
memory/2552-13-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-14-0x0000000001740000-0x0000000001748000-memory.dmp

Filesize
32KB

Download
memory/2552-9-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-16-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-8-0x00007FFBF2D55000-0x00007FFBF2D56000-memory.dmp

Filesize
4KB

Download
memory/2552-10-0x000000001C530000-0x000000001C9FE000-memory.dmp

Filesize
4.8MB

Download
memory/2552-19-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-20-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-21-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-22-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-23-0x00007FFBF2D55000-0x00007FFBF2D56000-memory.dmp

Filesize
4KB

Download
memory/2552-24-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-25-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download
memory/2552-27-0x00007FFBF2AA0000-0x00007FFBF3441000-memory.dmp

Filesize
9.6MB

Download