Analysis Overview
SHA256
4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8
Threat Level: Known bad
The file 4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe was found to be: Known bad.
Malicious Activity Summary
RevengeRAT
Revengerat family
RevengeRat Executable
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-04 20:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-04 20:23
Reported
2025-01-04 20:25
Platform
win7-20240903-en
Max time kernel
16s
Max time network
16s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1748 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe |
| PID 1748 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe |
| PID 1748 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe |
| PID 1748 wrote to memory of 2508 | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe
"C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe -install -54388859 -chipde -1662a9df3e984c9e861fc9b75480069b - -BLUB1 -inwoazezenxanfxb -524690
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thinklabs-ltd.de | udp |
| DE | 176.9.175.237:80 | thinklabs-ltd.de | tcp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| DE | 176.9.175.237:80 | download-sponsor.de | tcp |
| US | 8.8.8.8:53 | sl1-1.thinklabs-cluster.de | udp |
Files
\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe
| MD5 | f1ac19e315094f6cd302aaa8d47a1890 |
| SHA1 | 7fd3db54264a63c00b3b3894b8f9c76e86215068 |
| SHA256 | 1629b563d90ab134bf38804f489724ed3c6047817ff673b82979444e84c99e9d |
| SHA512 | dcdfae6c6568170cfda31f247a9c0a322d924164c79328cdc8e2334c1569436fae34d31e5b78755505529b1aac9cc83f7c7ea38f73eb6e08c076c5c9c9e7b11a |
memory/2508-12-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp
memory/2508-13-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\inwoazezenxanfxb.dat
| MD5 | 76459c2fa068b7f3abf795ba19ce4861 |
| SHA1 | 5966581b70c927c5f797d6ce97db09536e8a0afd |
| SHA256 | 052c43be80d678bd022df55ce556a7434035a23cb0c450c6bb9493b5072afc8d |
| SHA512 | eb39bf8df79a4d0730f876d8b0d96f9686f432b2c42b63de1bd9b4c4645da8938fdeca58ba75923696ee0930283a6f4835c1431a7ccc097f4979dc77cf4a7c0c |
memory/2508-15-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2508-16-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2508-17-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2508-18-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2508-19-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2508-20-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2508-21-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp
memory/2508-22-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
memory/2508-23-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-04 20:23
Reported
2025-01-04 20:25
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
94s
Command Line
Signatures
RevengeRAT
Revengerat family
RevengeRat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3092 wrote to memory of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe |
| PID 3092 wrote to memory of 1572 | N/A | C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe | C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe
"C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe"
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe -install -54388859 -chipde -1662a9df3e984c9e861fc9b75480069b - -BLUB1 -wluxukvifjmvktrp -327826
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.50.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thinklabs-ltd.de | udp |
| DE | 176.9.175.237:80 | thinklabs-ltd.de | tcp |
| US | 8.8.8.8:53 | download-sponsor.de | udp |
| DE | 176.9.175.237:80 | download-sponsor.de | tcp |
| US | 8.8.8.8:53 | sl3-1.thinklabs-cluster.de | udp |
| US | 8.8.8.8:53 | 237.175.9.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.50.123.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe
| MD5 | f1ac19e315094f6cd302aaa8d47a1890 |
| SHA1 | 7fd3db54264a63c00b3b3894b8f9c76e86215068 |
| SHA256 | 1629b563d90ab134bf38804f489724ed3c6047817ff673b82979444e84c99e9d |
| SHA512 | dcdfae6c6568170cfda31f247a9c0a322d924164c79328cdc8e2334c1569436fae34d31e5b78755505529b1aac9cc83f7c7ea38f73eb6e08c076c5c9c9e7b11a |
memory/1572-8-0x00007FFEC6515000-0x00007FFEC6516000-memory.dmp
memory/1572-9-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp
memory/1572-10-0x000000001BCB0000-0x000000001C17E000-memory.dmp
memory/1572-11-0x000000001C180000-0x000000001C226000-memory.dmp
memory/1572-12-0x000000001C2D0000-0x000000001C36C000-memory.dmp
memory/1572-13-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp
memory/1572-14-0x0000000000EF0000-0x0000000000EF8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OCS\wluxukvifjmvktrp.dat
| MD5 | 76459c2fa068b7f3abf795ba19ce4861 |
| SHA1 | 5966581b70c927c5f797d6ce97db09536e8a0afd |
| SHA256 | 052c43be80d678bd022df55ce556a7434035a23cb0c450c6bb9493b5072afc8d |
| SHA512 | eb39bf8df79a4d0730f876d8b0d96f9686f432b2c42b63de1bd9b4c4645da8938fdeca58ba75923696ee0930283a6f4835c1431a7ccc097f4979dc77cf4a7c0c |
memory/1572-16-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp
memory/1572-17-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp
memory/1572-18-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp
memory/1572-19-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp
memory/1572-20-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp
memory/1572-21-0x00007FFEC6515000-0x00007FFEC6516000-memory.dmp
memory/1572-22-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp
memory/1572-24-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp