revengerat | d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb

General

Target

d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe
Size

936KB
MD5

e934546440c95e3949ccf1d3bb434bad
SHA1

874ed45a76c091c0583e683d06b912cecf4c15ea
SHA256

d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb
SHA512

c0b385588083a10350263405ef441e8f7123c3c379fcebe3175cf38e36383b1aa8ecf02103fff1ce3e61f5d8825f226c1f11d58ab443a8926dc67a669d33f153
SSDEEP

12288:Z7lw1DxRseGQpnmSsR87RAie/kRRU7AAysgfBnnl2T:Z7m1DQeB7RAiej7AAysgpnncT

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000600000001875d-7.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2792	ocs_v71b.exe

Loads dropped DLL 1 IoCs

pid	Process
2660	d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	ocs_v71b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2660	d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe
2792	ocs_v71b.exe
2792	ocs_v71b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2792	2660	d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe	31
PID 2660 wrote to memory of 2792	2660	d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe	31
PID 2660 wrote to memory of 2792	2660	d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe	31
PID 2660 wrote to memory of 2792	2660	d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe	31

C:\Users\Admin\AppData\Local\Temp\d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe
"C:\Users\Admin\AppData\Local\Temp\d178ec194bad39822bc32aed091eb13f2272e54e2ba47565863078fa5349fdcb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe -install -4871177 -techradar -0b74502c2fe34db2ae29d84d3485c7c0 - - -bodssryboqxaskdt -459160
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\bodssryboqxaskdt.dat

Filesize
25B

MD5
0a3f15c0799a6131415052bca7a1240f

SHA1
55db59d7918eb56a8f0619c18abea844d8d1ac20

SHA256
b195bce571a284d6402cd66e09cfcd82f09e15e28c997205ee3cc6fde87cff59

SHA512
b5762f1f2d27d488ee445cf9d3354e297ea2502849cb6453bc5a766932bd9953b33c77690bad2d38d1c4043ce752063ca1722760f355373091eabafe3eb1bd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe

Filesize
312KB

MD5
ac5b9b93e6300b94aa36bdb4dd478972

SHA1
972db9071c719922142be77cf935c208b66f8de2

SHA256
c3cd658e9d163ab548f9d2e37cd03d997069d146755a45283b48b9b3e07bd6e9

SHA512
65e4fe7ccc1f338e09559ad7d3a17c55d26500342c1bc29cf79e50d5452ee8b3e2968bd0505127db644d7307dd24a899d39820d0df55bb5fbbfca837ad163603

Download Submit
memory/2792-16-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2792-19-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-12-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-13-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-14-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-15-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-9-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2792-17-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-18-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-10-0x0000000001250000-0x00000000012A6000-memory.dmp

Filesize
344KB

Download
memory/2792-20-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-21-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-22-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-23-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-24-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-25-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2792-26-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing