revengerat | 15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7

General

Target

15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe
Size

598KB
MD5

26915fa5cb65fb932419ff1fced25160
SHA1

13a4353df2d681f86702114ccf1d8e28d63fcdec
SHA256

15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7
SHA512

ff29d2837f51aa30b427230e03be70763095bb465ee1a0eee28803f58867f785903a44f622a9fb4d35033bd9b31410610dc0144ba5e87fad4c90e399e85b422a
SSDEEP

6144:sKWlw1DxD7ASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2t:s7lw1Dxf5zfXeYU43fiysgfBnnl2t

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0008000000018b50-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
1272	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe
2528	15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2528	15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe
1272	ocs_v71a.exe
1272	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1272	2528	15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe	30
PID 2528 wrote to memory of 1272	2528	15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe	30
PID 2528 wrote to memory of 1272	2528	15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe	30
PID 2528 wrote to memory of 1272	2528	15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe	30

C:\Users\Admin\AppData\Local\Temp\15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe
"C:\Users\Admin\AppData\Local\Temp\15d4b0bb30b552d042ef2797a105028533fc9c78e01612a6a3cec7c673bca3d7N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54458347 -chipde -4c0d7954cb724e329b724513ad70ae2a - -BLUB1 -wpwxzhagwaqdfhlh -524700
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\wpwxzhagwaqdfhlh.dat

Filesize
81B

MD5
62e87db2b484f01ef45ac7697eb6aaf4

SHA1
461a0844b9998bd9def135e4ff1bdf0f99152285

SHA256
77fa2a431447726ece34cbac233ec18ae793c1e4031d52bd59670b61cc78ffa6

SHA512
01a880eab2bc46be999a858949f4452a5467abafc225e3925fc3fcdf73345d84e0fbec78410eaf4e03728a00cfbe99eb8525dff51717fa1806cf34d4f53256a8

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/1272-19-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-20-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

Filesize
4KB

Download
memory/1272-13-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-16-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-17-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-18-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-12-0x000007FEF643E000-0x000007FEF643F000-memory.dmp

Filesize
4KB

Download
memory/1272-14-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-21-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-22-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-23-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-24-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-25-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-27-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download
memory/1272-26-0x000007FEF6180000-0x000007FEF6B1D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing