Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 03:14 UTC
Static task
static1
Behavioral task
behavioral1
Sample
1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe
Resource
win10v2004-20241007-en
General
-
Target
1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe
-
Size
598KB
-
MD5
287bedc379d15fa5527af96200525f20
-
SHA1
855d53d8545887da4346d13428952068923e5ee8
-
SHA256
1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bd
-
SHA512
26dbf13fbe409464bfcb4cec76e20593d9900f3d00eb5ccd31721672857a9617d1dcc683e8250ca93c136068788d68569576f3efe208aa9fa1d6bf1752cb3385
-
SSDEEP
6144:/KWlw1DxDfASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2d:/7lw1Dx75zfXeYU43fiysgfBnnl2d
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Revengerat family
-
RevengeRat Executable 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023bc8-6.dat revengerat -
Executes dropped EXE 1 IoCs
pid Process 3596 ocs_v71a.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3596 ocs_v71a.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 880 1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe 3596 ocs_v71a.exe 3596 ocs_v71a.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 880 wrote to memory of 3596 880 1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe 84 PID 880 wrote to memory of 3596 880 1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe"C:\Users\Admin\AppData\Local\Temp\1375655bd05aff5b2bbd1a741c8eb5be506146c4da7943a45266a085df5a99bdN.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exeC:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54413975 -chipde -430aeeef76954f49858f7a0a01823f4b - -BLUB2 -wlwjgmemctmpzmas -3278262⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3596
-
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request85.49.80.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request244.160.67.23.in-addr.arpaIN PTRResponse244.160.67.23.in-addr.arpaIN PTRa23-67-160-244deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestthinklabs-ltd.deIN AResponsethinklabs-ltd.deIN A176.9.175.237
-
Remote address:176.9.175.237:80RequestGET /geoip.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0; DSde) Gecko/20100101 Firefox/23.0
Host: thinklabs-ltd.de
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Length: 2
Keep-Alive: timeout=5, max=1500
Connection: Keep-Alive
Content-Type: text/html
-
Remote address:8.8.8.8:53Requestbin.download-sponsor.deIN AResponsebin.download-sponsor.deIN A176.9.175.234
-
Remote address:8.8.8.8:53Request237.175.9.176.in-addr.arpaIN PTRResponse237.175.9.176.in-addr.arpaIN PTRwww1thinklabs-clusterde
-
Remote address:8.8.8.8:53Request234.175.9.176.in-addr.arpaIN PTRResponse234.175.9.176.in-addr.arpaIN PTRweb1thinklabs-clusterde
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
397 B 330 B 5 3
HTTP Request
GET http://thinklabs-ltd.de/geoip.phpHTTP Response
200 -
443 B 172 B 5 4
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
85.49.80.91.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
244.160.67.23.in-addr.arpa
-
62 B 78 B 1 1
DNS Request
thinklabs-ltd.de
DNS Response
176.9.175.237
-
69 B 85 B 1 1
DNS Request
bin.download-sponsor.de
DNS Response
176.9.175.234
-
72 B 111 B 1 1
DNS Request
237.175.9.176.in-addr.arpa
-
72 B 111 B 1 1
DNS Request
234.175.9.176.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD5317ec5f92cfbf04a53e8125b66b3b4af
SHA116068b8977b4dc562ae782d91bc009472667e331
SHA2567612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5
SHA512ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65
-
Filesize
83B
MD5468c49f0da97193fc2f7abe8ce012bb9
SHA1160439a0e50457eee54188694355798a196471bb
SHA2563e249e6840c35982e5b1104920c4ee49c9a9b31694a253dffa8088d8105f603d
SHA51293e87c24a15f4c4a3e84794578d6af195c8c4960dd2332261db8bb6893939c62d4d12193e03df302b01ed7cd2dbf5c21b832582bdbefe087ef4b879172e41776