revengerat | 569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe
Size

598KB
MD5

e392d64a584bc576ea1b28e6580885db
SHA1

5f17cfba0e9958c36289bad886638e8ecb7c5bdb
SHA256

569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4
SHA512

0427c86c2c35e4df9e2b1624d98c3098c72f4199256a1b66a21470d72cd25d13c73faec78dacd2b3b013fa61be1372cefcf882207b683db66219dd9d14c040f2
SSDEEP

6144:mKWlw1DxDOASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2F:m7lw1Dx65zfXeYU43fiysgfBnnl2F

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000016cc8-6.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2376	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
2272	569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe
2272	569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2272	569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe
2376	ocs_v71a.exe
2376	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2376	2272	569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe	30
PID 2272 wrote to memory of 2376	2272	569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe	30
PID 2272 wrote to memory of 2376	2272	569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe	30
PID 2272 wrote to memory of 2376	2272	569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe	30

C:\Users\Admin\AppData\Local\Temp\569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe
"C:\Users\Admin\AppData\Local\Temp\569fb685eeb1ee6c537e4ebadf689d9ecf8ad9c9934c407f061ebfd0c71215e4.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -55203256 -chipde -c99f1e23a6ef4c39a96f01fbb868ada3 - -ChromeBundle -lsuhjlgeddoomwmu -459162
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\lsuhjlgeddoomwmu.dat

Filesize
83B

MD5
141e11fb0f94a5e52a40d7cc11ef44b2

SHA1
d9ffe575f9b949c235128ebf471e1818d55d7954

SHA256
1263f6e6ea3884c3acdbc7e106c9f5e3029a2a19a4ef022e96709864f67b5bc4

SHA512
d56dc38cbf28f1dc184587153f6f30003a695f10db0c835cbe3866a1dd53e3c2329a6e9ae58bc7013269f499e7a30bec43ac92d9329ee8a32a8a6aba790c7053

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/2376-12-0x000007FEF5C8E000-0x000007FEF5C8F000-memory.dmp

Filesize
4KB

Download
memory/2376-13-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-14-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-16-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-17-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-20-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-19-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-18-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-21-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2376-22-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download