Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe
Resource
win10v2004-20241007-en
General
-
Target
4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe
-
Size
938KB
-
MD5
bb4ad4b9e0ad4477825276b36a07955b
-
SHA1
3da0c323aca68e43249d23defe77cfd6c89aa8b9
-
SHA256
4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a
-
SHA512
3c7af5e58d1af227945d138c54b045714f7581d850b736af8d42d084036357a8f21aa55150b8ac99b52a6e5965beca9eb8ad3820bd27ee6831386e5586dc4466
-
SSDEEP
12288:e7lw1DxhCe6QhDiT5DQKI4k9n3eaeQkLKaL44nhPysgfBnnl27:e7m1Deej4k9n3eaeB44nhPysgpnnc7
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral2/files/0x000a000000023b60-6.dat revengerat -
Executes dropped EXE 1 IoCs
pid Process 3044 ocs_v71b.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3044 ocs_v71b.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3204 4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe 3044 ocs_v71b.exe 3044 ocs_v71b.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3204 wrote to memory of 3044 3204 4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe 83 PID 3204 wrote to memory of 3044 3204 4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe"C:\Users\Admin\AppData\Local\Temp\4e55e69fc8eb24876c73a8d7d518c1587ebb5ee045d2da2dbf4277617c663d1a.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe -install -59235408 -chipde -095021f7ef184a518aeaa00f83725248 - -BLUB2 -xuctwgdpmdphrzyb -2622862⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD506e5f4da9fc01e28708ccd62815e56c0
SHA199f97ad369e8621ab4d17df53e80e60fee99c727
SHA256bdcb135d79ad72c7e7f0e3e6970ffbfb72af697794c953741517f857f6751e80
SHA5126c98a23e2d65db2feef46a96fd811384255838e0bd9ab7122d3206bafe8229c5da3c45de4b578c411da6a03851956133e44a4e8db147b59422d5f017159054eb
-
Filesize
81B
MD54558a835279bf92229dad8299110237b
SHA125f95aff9bfa225d808aafa2b73f78868a3c402c
SHA256ed780676b735c81e845b041fd1778b0a96226a5c471bf835268882ccc922e3db
SHA512a8d531790b28026e6dc6f2aa78be1e902c2f2750fb12621f8e5df401431de6788596ef54e5d50675df68511d488dcdc70b1dca5c487481fd64bfb9d05f74735f