revengerat | 9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41

General

Target

9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe
Size

600KB
MD5

83058e55cbc02d00dd9458310fd694e3
SHA1

22707b109809e6f6d5949f0ce7d196b346ac75b0
SHA256

9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41
SHA512

997d75572de96cd847250ead0c3b9a380ac69e357eae878a0fb6e88738dd1d83d12e00c03d2a9464e31198d088fb0a616ea05c803f12a0e12e59e7d0f7de7834
SSDEEP

6144:YKWlw1DxDjASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX21e:Y7lw1Dx35zfXeYU43fiysgfBnnl21e

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0006000000019242-10.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2456	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
2536	9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe
2536	9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2536	9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe
2456	ocs_v71a.exe
2456	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2456	2536	9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe	31
PID 2536 wrote to memory of 2456	2536	9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe	31
PID 2536 wrote to memory of 2456	2536	9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe	31
PID 2536 wrote to memory of 2456	2536	9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe	31

C:\Users\Admin\AppData\Local\Temp\9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe
"C:\Users\Admin\AppData\Local\Temp\9825b9d90e62ae81d30039d79383da77c310026985c5c8a003d52e05b24f0e41.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54430229 -chipde -06be32d4177d4db58a1e2387ebf0f7b3 - -BLUB1 -ccpavxkjsvmwhioe -524702
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2456

Network

DNS

thinklabs-ltd.de

ocs_v71a.exe

Remote address:

8.8.8.8:53

Request

thinklabs-ltd.de

IN A

Response

thinklabs-ltd.de

IN A

176.9.175.237
GET

http://thinklabs-ltd.de/geoip.php

ocs_v71a.exe

Remote address:

176.9.175.237:80

Request

GET /geoip.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0; DSde) Gecko/20100101 Firefox/23.0
Host: thinklabs-ltd.de
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 24 Jan 2025 01:42:14 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 2
Keep-Alive: timeout=5, max=1500
Connection: Keep-Alive
Content-Type: text/html
DNS

bin.download-sponsor.de

ocs_v71a.exe

Remote address:

8.8.8.8:53

Request

bin.download-sponsor.de

IN A

Response

bin.download-sponsor.de

IN A

176.9.175.234

176.9.175.237:80

http://thinklabs-ltd.de/geoip.php

http

ocs_v71a.exe

397 B
330 B
5
3

HTTP Request

GET http://thinklabs-ltd.de/geoip.php

HTTP Response

200
176.9.175.234:443

bin.download-sponsor.de

https

ocs_v71a.exe

443 B
172 B
5
4

8.8.8.8:53

thinklabs-ltd.de

dns

ocs_v71a.exe

62 B
78 B
1
1

DNS Request

thinklabs-ltd.de

DNS Response

176.9.175.237
8.8.8.8:53

bin.download-sponsor.de

dns

ocs_v71a.exe

69 B
85 B
1
1

DNS Request

bin.download-sponsor.de

DNS Response

176.9.175.234

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\ccpavxkjsvmwhioe.dat

Filesize
83B

MD5
00ea93d39a577dee2304f135f248bd4d

SHA1
24e3fc5e16f3e3433d828cbe2693b9a5e79c40ab

SHA256
73883eae58f1de61ddced0871d72106f5460e80f16e6fb2c1c00bf9ea5dd5e96

SHA512
e339d70b965675286563abbb2936a31c6abbce38e913da1b181dcf4b3f0ec1782bc1ad79c82e2f82baa86c75ddb834d002e04b3427c868ceef261db354d02ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/2456-12-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

Filesize
4KB

Download
memory/2456-13-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-14-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-16-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-17-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-18-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-19-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-20-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-21-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response