revengerat | 2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0

General

Target

2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe
Size

598KB
MD5

d9447839b14266fc4199a9338a887460
SHA1

4f0533401a4a73345b9cb07dd3a575db6c71055e
SHA256

2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0
SHA512

e9c4ec730791218db56fcfa8c06d850b4d07721eea58399f9c32349fb8eec422c847e4db84e9fd982541a828a2fe6e6e72430c72522135ba368fb2388664092f
SSDEEP

6144:FKWlw1DxDSASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2O:F7lw1DxG5zfXeYU43fiysgfBnnl2O

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000700000001658d-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2852	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe
2492	2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2492	2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe
2852	ocs_v71a.exe
2852	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2852	2492	2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe	30
PID 2492 wrote to memory of 2852	2492	2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe	30
PID 2492 wrote to memory of 2852	2492	2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe	30
PID 2492 wrote to memory of 2852	2492	2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe	30

C:\Users\Admin\AppData\Local\Temp\2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe
"C:\Users\Admin\AppData\Local\Temp\2117e7d11a5d7f0dd6e829fab57dff4230ec39e7107f10990eee984cfdb148c0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54384286 -chipde -968d5150c41c4ff886ae69e9c2e78548 - -BLUB1 -rawgzyahqevifllw -393504
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\rawgzyahqevifllw.dat

Filesize
83B

MD5
d301911d086bcb940f897862ecba8dd7

SHA1
0ffd25d17acc869e0d7ebdc24181e95d8c9c6288

SHA256
539ef45188a2b6c0de429792bf0f3c45bb1540d5146fcb04f3076f08085f5d29

SHA512
2177c4021da87807bfc98e2b70288312f8bb49567abea022ada9933600bed5de3c38f8e0ef86c059905e495241198fb449b968830bb73431f5030a3fe54db1bb

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/2852-19-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-20-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-15-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-16-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-17-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-18-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-12-0x000007FEF680E000-0x000007FEF680F000-memory.dmp

Filesize
4KB

Download
memory/2852-13-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-21-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-22-0x000007FEF680E000-0x000007FEF680F000-memory.dmp

Filesize
4KB

Download
memory/2852-23-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-24-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-25-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-27-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download
memory/2852-26-0x000007FEF6550000-0x000007FEF6EED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing