revengerat | 3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9ba

General

Target

3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9baN.exe
Size

936KB
MD5

78ce19e041faa67ab75a560d21eec820
SHA1

ece0b914164189f1b548ae1899d5b4d5f1a812a2
SHA256

3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9ba
SHA512

98d8c506d33ab0ae03ae228654d7c826ffb070cffff71fcbbca5d3fa5f341e134c829ec9a9194040a9d6fe28642dd946d23d053e85a65ac7c2dea4c40ddce230
SSDEEP

12288:Z7lw1DxRseGQpnmSsR87RAie/kRRU7AAysgfBnnl2:Z7m1DQeB7RAiej7AAysgpnnc

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral2/files/0x0007000000023ca1-6.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
3676	ocs_v71b.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9baN.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	ocs_v71b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1176	3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9baN.exe
3676	ocs_v71b.exe
3676	ocs_v71b.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 3676	1176	3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9baN.exe	83
PID 1176 wrote to memory of 3676	1176	3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9baN.exe	83

C:\Users\Admin\AppData\Local\Temp\3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9baN.exe
"C:\Users\Admin\AppData\Local\Temp\3d66a969bd3e6d40bcc4a84d7cb45fb246e9d3178853a0542c703c5f74f2d9baN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe -install -4871177 -techradar -0b74502c2fe34db2ae29d84d3485c7c0 - - -mzzunvpssuntpjkq -327824
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\mzzunvpssuntpjkq.dat

Filesize
25B

MD5
0a3f15c0799a6131415052bca7a1240f

SHA1
55db59d7918eb56a8f0619c18abea844d8d1ac20

SHA256
b195bce571a284d6402cd66e09cfcd82f09e15e28c997205ee3cc6fde87cff59

SHA512
b5762f1f2d27d488ee445cf9d3354e297ea2502849cb6453bc5a766932bd9953b33c77690bad2d38d1c4043ce752063ca1722760f355373091eabafe3eb1bd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe

Filesize
312KB

MD5
ac5b9b93e6300b94aa36bdb4dd478972

SHA1
972db9071c719922142be77cf935c208b66f8de2

SHA256
c3cd658e9d163ab548f9d2e37cd03d997069d146755a45283b48b9b3e07bd6e9

SHA512
65e4fe7ccc1f338e09559ad7d3a17c55d26500342c1bc29cf79e50d5452ee8b3e2968bd0505127db644d7307dd24a899d39820d0df55bb5fbbfca837ad163603

Download Submit
memory/3676-19-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-30-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-11-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-12-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-13-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-14-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-15-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-16-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download
memory/3676-17-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-18-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-32-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-9-0x0000000000E90000-0x0000000000EE6000-memory.dmp

Filesize
344KB

Download
memory/3676-23-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-22-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-21-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-24-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-25-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-26-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-27-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-28-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-29-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-20-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/3676-31-0x000000001BA80000-0x000000001BC29000-memory.dmp

Filesize
1.7MB

Download
memory/3676-8-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing