revengerat | 4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a

General

Target

4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe
Size

938KB
MD5

bb4ad4b9e0ad4477825276b36a07955b
SHA1

3da0c323aca68e43249d23defe77cfd6c89aa8b9
SHA256

4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a
SHA512

3c7af5e58d1af227945d138c54b045714f7581d850b736af8d42d084036357a8f21aa55150b8ac99b52a6e5965beca9eb8ad3820bd27ee6831386e5586dc4466
SSDEEP

12288:e7lw1DxhCe6QhDiT5DQKI4k9n3eaeQkLKaL44nhPysgfBnnl27:e7m1Deej4k9n3eaeB44nhPysgpnnc7

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000015e25-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2556	ocs_v71b.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	ocs_v71b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2384	4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe
2556	ocs_v71b.exe
2556	ocs_v71b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2556	2384	4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe	30
PID 2384 wrote to memory of 2556	2384	4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe	30
PID 2384 wrote to memory of 2556	2384	4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe	30
PID 2384 wrote to memory of 2556	2384	4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe	30

C:\Users\Admin\AppData\Local\Temp\4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe
"C:\Users\Admin\AppData\Local\Temp\4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe -install -59235408 -chipde -095021f7ef184a518aeaa00f83725248 - -BLUB2 -vjpvanabasankotq -524690
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\vjpvanabasankotq.dat

Filesize
81B

MD5
4558a835279bf92229dad8299110237b

SHA1
25f95aff9bfa225d808aafa2b73f78868a3c402c

SHA256
ed780676b735c81e845b041fd1778b0a96226a5c471bf835268882ccc922e3db

SHA512
a8d531790b28026e6dc6f2aa78be1e902c2f2750fb12621f8e5df401431de6788596ef54e5d50675df68511d488dcdc70b1dca5c487481fd64bfb9d05f74735f

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe

Filesize
312KB

MD5
06e5f4da9fc01e28708ccd62815e56c0

SHA1
99f97ad369e8621ab4d17df53e80e60fee99c727

SHA256
bdcb135d79ad72c7e7f0e3e6970ffbfb72af697794c953741517f857f6751e80

SHA512
6c98a23e2d65db2feef46a96fd811384255838e0bd9ab7122d3206bafe8229c5da3c45de4b578c411da6a03851956133e44a4e8db147b59422d5f017159054eb

Download Submit
memory/2556-16-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2556-19-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-12-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-13-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-14-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-15-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-9-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

Filesize
4KB

Download
memory/2556-17-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-18-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-10-0x0000000000820000-0x0000000000876000-memory.dmp

Filesize
344KB

Download
memory/2556-20-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-21-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-22-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-23-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-24-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-25-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-26-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing