Analysis
-
max time kernel
93s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-01-2025 05:17
General
-
Target
a4d2485e3bf5e858e6f157d7c30aa230482d352bca1840bbff573f18e5319b69.exe
-
Size
578KB
-
MD5
1b1371ccbe1866e47cf8c1f7bce697a9
-
SHA1
3cf8b6f3eb5bde86577256c2706dd878d7f312a7
-
SHA256
a4d2485e3bf5e858e6f157d7c30aa230482d352bca1840bbff573f18e5319b69
-
SHA512
b61f0b6bcf73aee3d0e9c7d6938a18780f4b7848f513f073f3d3ea16df23f7d9bb72f84d22f1282194e041e858bd4bcdea6194d9cb2ef1a6da37346cad4cafc5
-
SSDEEP
6144:bKlx3FcfCElJk125U8SpVUagDsvb6mgmw4sFfTysVufBn597NX2P:boVcfXlJkE5YVUjuOjysgfBnnl2P
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4d2485e3bf5e858e6f157d7c30aa230482d352bca1840bbff573f18e5319b69.exe"C:\Users\Admin\AppData\Local\Temp\a4d2485e3bf5e858e6f157d7c30aa230482d352bca1840bbff573f18e5319b69.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v6z.exe -install -3742138 -dcude -87b0d7bb8b0f4880b0848e394944b143 - -de -cbvyxgzvsttsoyhf2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=3c952642-0770-42ae-b752-c7bceaff8bc9&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e6578653⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.download-sponsor.de/exitdownload/thankyou.php?pid=dcude&cid=3742138&appname=[APPNAME]&cbstate=&uid=3c952642-0770-42ae-b752-c7bceaff8bc9&sid=87b0d7bb8b0f4880b0848e394944b143&scid=&source=de&language=en-US&cdata=utyp-31.userid-363863333161646138303136643863336661626136613565.ua-66697265666f782e6578654⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd9b65a0-afa2-4c47-8cc7-2416efe684dd} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" gpu5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ae3962c-5380-4d4f-a579-222ac195cc4a} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" socket5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2724 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2984 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c11b0c5e-3afd-407c-8599-6a7a88ec4713} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3556 -childID 2 -isForBrowser -prefsHandle 3808 -prefMapHandle 3252 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eff63525-bdec-405b-a4f8-1cf044ee767d} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4196 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4472 -prefMapHandle 4236 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {800cf72a-71ab-4047-8e3f-051698f8054c} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" utility5⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5500 -prefMapHandle 5496 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8013f9f7-6bff-4d00-b98b-4be086a8b02e} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5648 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26173170-751b-4796-b448-2e6fbaecf675} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {def40676-00ec-4ab8-acdc-59b59032a3c0} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" tab5⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6592 -childID 6 -isForBrowser -prefsHandle 6616 -prefMapHandle 5388 -prefsLen 30902 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80c5685b-46b2-40b3-a520-9b63bfd51b88} 4612 "\\.\pipe\gecko-crash-server-pipe.4612" tab5⤵
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD591edff01538acb817bc32c8522cedf5c
SHA1b27ffe767e3b36e9e80b6ce7fc7486b6907bcb49
SHA256433473c73c1030ddb4f680e1f3a75b7c8c92dca011885ef6420e2778c3d824fa
SHA512970656419bdac19506ce50ad94460e67695604201fe2571c4fb41aaad20a9b107ae4b65a2a5d651f33737fc0b6c25b9c9fcb3555b8c5a4629ce0726a111bdf87
-
Filesize
13KB
MD5d7d25b8cd5437ac2d99814b1505edbca
SHA1fc327451cf0a113550b1f2ce97c2043e9fafd464
SHA25695ab788edac9f371dfb75cc2741a7b1a37ac7785346d4634d392608b8c82bc29
SHA5129172ca6ca49d2b7dec3d6677c717e0f616af2dd70dc224ca51c89f89767e5d45fe8e3b927d0d6dae5bbf32c6aeaaccd793b524b99502f273d2369313f2570791
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
91B
MD529931ac60ae442addd2a0830e9ad803d
SHA13c840088ad911f95f43c71c02bcf2bb9828ab218
SHA25628d786ed1eac91eee25869406704cd49da519ce4ab82a1959555e7fc556fcbca
SHA5124e076872b44999ec3aa08b48b038b1dce1776c4f0a69c48fe4a0f376e3278417a4edce94b00589ca64d4415f13300beefbc26412894c52417892dd713feaabe5
-
Filesize
312KB
MD509f02c017e40a998537f26d0caee8d22
SHA17676d2f17068a9050bbbbe10908e75bc5d59b631
SHA256fae6c9cfda16a9f4587b0041156a7284bf7cb1fc48e1e34f33b50ebc2d00e2d7
SHA5120c7d4fad92bb7478e277f6c56e0e0dbd665171a7bea06a6668d9d0120c5f171cbcec37c60b6354a286192f2f0bbf104ccc5550159e863ee03cc2e23243eb93c7
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
6KB
MD517389126997c36641fbd183050f1cf44
SHA1e613e747bb4486242a28aceb28a3b0514f131295
SHA2560551955b7a78860389459975754c0507700c1edacc2209e93a8ea4c226831335
SHA512c494e4e94132b9cec3e005ac52ec6f16d61738807fd82f7e5ec1c356ec9481db9f3f90a16787a9f682580774980b6cb1af7712206063cad5775ce71b48cf6d53
-
Filesize
6KB
MD5a030acdef4d5ad3344b39cad1f0566ce
SHA17c6189f6bf74ffd60a0e8baefd3b64700d0969c6
SHA256dd695f70769abcccb0c218c5b82a1116a885b240e69f7fc74422257036854bfe
SHA5125b0199740f32716b6a87031bbc44c318b18a40acc53e3c702d618c3da393e58bfa2e1938fd2270d9eccdfdddd35b148f0c2655012933eba8fbdf75d7da635895
-
Filesize
5KB
MD53b0ce5b4518b0316a70a58a1d7710b85
SHA1b0cd620400f17b7a681b3555c5cdd4c7ec0232fb
SHA2562e2f8475cb5d63218f29e39e95b2e1930b80346f41c5ca3ad159aaea7d145ca0
SHA512ab49723a988b236a1be1d480f406692990c450f3a6aac0931d2b2452d88e1f1ddd804f13368186a7328ae7d68c63ebd0d9ae8e7c73a8540e7d0027efc677dd74
-
Filesize
14KB
MD5e91c161dcb5bc11ab027e9232d2a1445
SHA1090b1c22896f73da5b8f169a097b8a8c61c3907c
SHA256e270cb9087deda64aaf921996b8ef79cf53fc0009a5adee8899ad74c533c1270
SHA512982029a67d4e5552d37875277460afb46f49b9e08fc8e3c6a75e9956c5c5001e0cedd6977fa7734f326de3858704abc24f23ec9eed44695a16aaf029093f710c
-
Filesize
982B
MD5fa0756b95381ccf8ed14247e788dd616
SHA19d037a4394760c73f5d16a941fa0e430e2fe1169
SHA2567d6d574de95cdd29e1c718213a4990680a2f633ee4ed1b9e7d6eff64d14385da
SHA512b10d8da80977648c95008c3e884dc3789dbde5137492c3aec6050ef2246b80aa27d951d30dea6ba4f85d1e8b3e95d94314e9b135a2fb5f145b634214f013a275
-
Filesize
26KB
MD5726574c9b59f567fc76107a2ed0c8a35
SHA1f7a40232edeea76b7582fec56ddd27a303849154
SHA25635f1f34d2d1b3fe62703df99432841b6f0f0ab0d8a4fd910fe3ab965428e98d1
SHA5129d166c5c4082f7df750ca8f18466affb057076fc6f8a0b1757c76db6181a59974474060680e092a18dce61d5de37f785416040d3e34b0317e91f56d0aaa9e696
-
Filesize
671B
MD5ce86dc077ccb9e371a0d6502e8fcf897
SHA1b87621b3c21eea1fbc58f124248e234f13ca97ac
SHA256a2862a9c325666bb5cde694b3087abe28a3ee9faea5810e46a5f6374acd32933
SHA512a16244c0b1a5b6caece5b4da8dfb613d870fbad5b6e29c35ec2d5d0f2cbf8b928e71601c53eb08beba3f950c1a9bc0cb77225a6d4baabc60208c796a583c43cc
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
15KB
MD54bce9bfed020cfe275532f2dc6eca58b
SHA1a58273cc594f93c8cf0da48c8c74da0583ff0089
SHA2565c1e09f083df13b9ac070e17479c787543552ab56e2beb65c08d5d09798c7437
SHA512897d5248ef5e075a1664d766e39a3e0683ba729d697036d5071aa0908961e80463c6e3d79518d58f1b1da5249de7b91e8c7ef03d9d4de647b9aca559ec4de679
-
Filesize
12KB
MD54234e15fe1d2f02cfaef738093bf03b1
SHA196e84a4a07a3554b68ab3c65c41fcc8a91744cbe
SHA2561efa4ad22006c93b742cb740affe541241cc157c949a72be51ab36a3c7179016
SHA512234611d05366ae1747b634feb225438d42cec440676fe10ea43b1f83b46860ce601117c8ee4f5413d03e6fd634d5babf67c941b59b5471ca77d8f2a5113a38b8
-
Filesize
11KB
MD540c2357278d1e4613532b2da21a84704
SHA1177a9aa6bf3e213be223936e52474363ebaec196
SHA256b54e80b4b75eb012daaa292e565eb2ca2f8d517a27b73d85f9bc1331ec8ca8c4
SHA512e0f132f49849f1e1fc61da772fa824b8e27a166e702d3ea3ac451fe26ba7c456a516d0718d5d4a70cab7632982be8022ccb5b28e6737a37a8e22d6b7732c2c6c
-
Filesize
10KB
MD57f06efcfd6dcc84ea844c44701e621ad
SHA1558d3eb37952cd1901dba746772196e1a85b4404
SHA2561d18b196ce72e4d8741c09974d36fb47eb4a6887e25999ffdcfc799c72723c41
SHA51202de8cd0a8414f31c95ab8ba05701d882efaefeff4a8f6162a27192ca450f74a066011db3ebd53d1d0fac471e78290d149365f708e15b4f3dadd36dae50cceec
-
Filesize
1KB
MD58a3c109b6f484885ddd89dec7585c0db
SHA1c752d10c66524d3d3bea3f2ce9e3628b09680ff8
SHA25635de43aafd7473067c88bf64e82fb5e6e7adff0f316a30191bd906ac38280eac
SHA512f89fc09a0588e195db47c2332735d8cd54f9d2b5130e344735925e8297ba46626d1f7764f9d1cc39e438aaf94ff3303e567a154395c78faa7052a29556078095
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
624KB
-
Filesize
664KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB