revengerat | 14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67

Analysis

max time kernel
84s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe
Size

598KB
MD5

f5ef9d90a69c1497a78ebdf5f2b1f3c0
SHA1

5bbcc122e1daa06a1d85dc39ec23ba33b3db264a
SHA256

14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67
SHA512

a80ff0f415a23d236a5d3e139bb51ea86b986a87ff1e9cdc5a00aa107db41187437be8d34796dd87c04c945b7e90f7440f1afdeb7616f0164289536e4e8461e2
SSDEEP

6144:qKWlw1DxD3ASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX28:q7lw1Dxj5zfXeYU43fiysgfBnnl28

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x00060000000195d6-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
3036	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe
2164	14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2164	14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe
3036	ocs_v71a.exe
3036	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 3036	2164	14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe	29
PID 2164 wrote to memory of 3036	2164	14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe	29
PID 2164 wrote to memory of 3036	2164	14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe	29
PID 2164 wrote to memory of 3036	2164	14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe	29

C:\Users\Admin\AppData\Local\Temp\14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe
"C:\Users\Admin\AppData\Local\Temp\14eb781fcba63892596af8f669071b3e9d480871da77e2871a10c7f5a83aca67N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54464892 -chipde -288b022d303b4520a34d2e749d742bbf - -BLUB1 -jphlzivdigiwqadm -459090
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\jphlzivdigiwqadm.dat

Filesize
83B

MD5
5d719cb6c19e46539f527568b575297e

SHA1
ad9a7f0e77e52385e63fc099a5ab8f77f42a8d53

SHA256
b2a586176f490b9b70071df82d799c7722a98f72b72582d479055b89777cd6b7

SHA512
176348e7ff00bfaf79ac4019fe1e0f0b836fd2d1028287a8db34d19d3027a948eb0f508379e9bce8d68e1bd19de421b3e013394dc6f97887b4ff1d0447db99a4

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/3036-12-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmp

Filesize
4KB

Download
memory/3036-13-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-15-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-16-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-17-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-18-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-19-0x000007FEF5DFE000-0x000007FEF5DFF000-memory.dmp

Filesize
4KB

Download
memory/3036-20-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download
memory/3036-21-0x000007FEF5B40000-0x000007FEF64DD000-memory.dmp

Filesize
9.6MB

Download