revengerat | 156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755

General

Target

156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe
Size

598KB
MD5

d9fbfc2935082465f64f882603a48917
SHA1

e6d8a73d5cf363ef7b0c6d070466bdfeb308ad1b
SHA256

156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755
SHA512

49852e44ededd9abd16aebe6af288f5d0e3752d190dbc43732e78cd79e9a9725965d4d25b582e3e99c75ee122842c9ceb3d1e5dfe9926788d3ce8ff521cc6ef9
SSDEEP

6144:rKWlw1DxDFASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2v:r7lw1Dx55zfXeYU43fiysgfBnnl2v

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000016cab-11.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
804	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe
1952	156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1952	156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe
804	ocs_v71a.exe
804	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 804	1952	156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe	30
PID 1952 wrote to memory of 804	1952	156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe	30
PID 1952 wrote to memory of 804	1952	156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe	30
PID 1952 wrote to memory of 804	1952	156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe	30

C:\Users\Admin\AppData\Local\Temp\156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe
"C:\Users\Admin\AppData\Local\Temp\156c1abd39f045e2c45d64bafd00b6acb64841f9a975045c5b13f905d08c0755.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54426511 -chipde -6cdf23fe36b2464db9c423d5f453514c - -BLUB1 -ktardiessweddmsw -917846
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\ktardiessweddmsw.dat

Filesize
83B

MD5
3b21d4cd921a9239441586d7cec32701

SHA1
d307f2b4cba818f9bdf3e2ffa92c7c2864d038a8

SHA256
cc22be80fd6abf3aa97cf26110adbac424c15add06131dc06c0b12b3ac1a4e04

SHA512
bb91a5eebf43bc71ca7cf6ec5366c69ce4f0df098403abd8da4113489d0911fb25bb3e20aadb2d480dce2f78cc51745d9b705aac71202e11b5f0604f551157c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/804-19-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-20-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

Filesize
4KB

Download
memory/804-14-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-13-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-12-0x000007FEF5BEE000-0x000007FEF5BEF000-memory.dmp

Filesize
4KB

Download
memory/804-17-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-18-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-16-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-21-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-22-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-23-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-24-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-25-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-26-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download
memory/804-27-0x000007FEF5930000-0x000007FEF62CD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing