revengerat | 4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe
Size

600KB
MD5

004e47880c770fa60c79861ed35a9120
SHA1

c0887b5a3c5b6bea83a22d36c992a22f39eb01e2
SHA256

4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8
SHA512

1c35b6f0c0908fd839441dc599df96a8ff7af13680a5e7dc6457ee08a2afceb62204ffca581692cc6f73f0d06a36c9c1111659908937558a92570c0a41bd3962
SSDEEP

6144:8KWlw1Dx1MgzK7Yi06sCxVajmzx9S9HNBLlpY4Yi0flysVufBn597NX2c:87lw1Dx2gzaY5MxVaRPKxysgfBnnl2c

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000015d50-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2508	ocs_v8.exe

Loads dropped DLL 2 IoCs

pid	Process
1748	4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe
1748	4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1748	4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe
2508	ocs_v8.exe
2508	ocs_v8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2508	1748	4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe	30
PID 1748 wrote to memory of 2508	1748	4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe	30
PID 1748 wrote to memory of 2508	1748	4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe	30
PID 1748 wrote to memory of 2508	1748	4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe	30

C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe
"C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe -install -54388859 -chipde -1662a9df3e984c9e861fc9b75480069b - -BLUB1 -inwoazezenxanfxb -524690
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\inwoazezenxanfxb.dat

Filesize
81B

MD5
76459c2fa068b7f3abf795ba19ce4861

SHA1
5966581b70c927c5f797d6ce97db09536e8a0afd

SHA256
052c43be80d678bd022df55ce556a7434035a23cb0c450c6bb9493b5072afc8d

SHA512
eb39bf8df79a4d0730f876d8b0d96f9686f432b2c42b63de1bd9b4c4645da8938fdeca58ba75923696ee0930283a6f4835c1431a7ccc097f4979dc77cf4a7c0c

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe

Filesize
288KB

MD5
f1ac19e315094f6cd302aaa8d47a1890

SHA1
7fd3db54264a63c00b3b3894b8f9c76e86215068

SHA256
1629b563d90ab134bf38804f489724ed3c6047817ff673b82979444e84c99e9d

SHA512
dcdfae6c6568170cfda31f247a9c0a322d924164c79328cdc8e2334c1569436fae34d31e5b78755505529b1aac9cc83f7c7ea38f73eb6e08c076c5c9c9e7b11a

Download Submit
memory/2508-17-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-13-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-15-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-16-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-12-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp

Filesize
4KB

Download
memory/2508-18-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-19-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-20-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-21-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp

Filesize
4KB

Download
memory/2508-22-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-23-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Filesize
9.6MB

Download