Malware Analysis Report

2025-04-14 05:12

Sample ID 250104-y6b1rawjdv
Target 4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe
SHA256 4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8
Tags
revengerat discovery stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8

Threat Level: Known bad

The file 4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe was found to be: Known bad.

Malicious Activity Summary

revengerat discovery stealer trojan

RevengeRAT

Revengerat family

RevengeRat Executable

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-04 20:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-04 20:23

Reported

2025-01-04 20:25

Platform

win7-20240903-en

Max time kernel

16s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe

"C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe -install -54388859 -chipde -1662a9df3e984c9e861fc9b75480069b - -BLUB1 -inwoazezenxanfxb -524690

Network

Country Destination Domain Proto
US 8.8.8.8:53 thinklabs-ltd.de udp
DE 176.9.175.237:80 thinklabs-ltd.de tcp
US 8.8.8.8:53 download-sponsor.de udp
DE 176.9.175.237:80 download-sponsor.de tcp
US 8.8.8.8:53 sl1-1.thinklabs-cluster.de udp

Files

\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe

MD5 f1ac19e315094f6cd302aaa8d47a1890
SHA1 7fd3db54264a63c00b3b3894b8f9c76e86215068
SHA256 1629b563d90ab134bf38804f489724ed3c6047817ff673b82979444e84c99e9d
SHA512 dcdfae6c6568170cfda31f247a9c0a322d924164c79328cdc8e2334c1569436fae34d31e5b78755505529b1aac9cc83f7c7ea38f73eb6e08c076c5c9c9e7b11a

memory/2508-12-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp

memory/2508-13-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\inwoazezenxanfxb.dat

MD5 76459c2fa068b7f3abf795ba19ce4861
SHA1 5966581b70c927c5f797d6ce97db09536e8a0afd
SHA256 052c43be80d678bd022df55ce556a7434035a23cb0c450c6bb9493b5072afc8d
SHA512 eb39bf8df79a4d0730f876d8b0d96f9686f432b2c42b63de1bd9b4c4645da8938fdeca58ba75923696ee0930283a6f4835c1431a7ccc097f4979dc77cf4a7c0c

memory/2508-15-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2508-16-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2508-17-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2508-18-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2508-19-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2508-20-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2508-21-0x000007FEF60EE000-0x000007FEF60EF000-memory.dmp

memory/2508-22-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

memory/2508-23-0x000007FEF5E30000-0x000007FEF67CD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-04 20:23

Reported

2025-01-04 20:25

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe

"C:\Users\Admin\AppData\Local\Temp\4a66bff9dfec69d49a55da1d3449c1a5faa52555a94945d4a4d9797ab5b660d8N.exe"

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe -install -54388859 -chipde -1662a9df3e984c9e861fc9b75480069b - -BLUB1 -wluxukvifjmvktrp -327826

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 thinklabs-ltd.de udp
DE 176.9.175.237:80 thinklabs-ltd.de tcp
US 8.8.8.8:53 download-sponsor.de udp
DE 176.9.175.237:80 download-sponsor.de tcp
US 8.8.8.8:53 sl3-1.thinklabs-cluster.de udp
US 8.8.8.8:53 237.175.9.176.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 162.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v8.exe

MD5 f1ac19e315094f6cd302aaa8d47a1890
SHA1 7fd3db54264a63c00b3b3894b8f9c76e86215068
SHA256 1629b563d90ab134bf38804f489724ed3c6047817ff673b82979444e84c99e9d
SHA512 dcdfae6c6568170cfda31f247a9c0a322d924164c79328cdc8e2334c1569436fae34d31e5b78755505529b1aac9cc83f7c7ea38f73eb6e08c076c5c9c9e7b11a

memory/1572-8-0x00007FFEC6515000-0x00007FFEC6516000-memory.dmp

memory/1572-9-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp

memory/1572-10-0x000000001BCB0000-0x000000001C17E000-memory.dmp

memory/1572-11-0x000000001C180000-0x000000001C226000-memory.dmp

memory/1572-12-0x000000001C2D0000-0x000000001C36C000-memory.dmp

memory/1572-13-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp

memory/1572-14-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OCS\wluxukvifjmvktrp.dat

MD5 76459c2fa068b7f3abf795ba19ce4861
SHA1 5966581b70c927c5f797d6ce97db09536e8a0afd
SHA256 052c43be80d678bd022df55ce556a7434035a23cb0c450c6bb9493b5072afc8d
SHA512 eb39bf8df79a4d0730f876d8b0d96f9686f432b2c42b63de1bd9b4c4645da8938fdeca58ba75923696ee0930283a6f4835c1431a7ccc097f4979dc77cf4a7c0c

memory/1572-16-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp

memory/1572-17-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp

memory/1572-18-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp

memory/1572-19-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp

memory/1572-20-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp

memory/1572-21-0x00007FFEC6515000-0x00007FFEC6516000-memory.dmp

memory/1572-22-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp

memory/1572-24-0x00007FFEC6260000-0x00007FFEC6C01000-memory.dmp