revengerat | d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18

General

Target

d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe
Size

598KB
MD5

3f255e6e63294b4da48e62b55b510a10
SHA1

9caefc1d317c15c9f3812e6b6def715a142e47e2
SHA256

d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18
SHA512

d1abcfc54b5e3d1f946e608d61c3d63db5d160b1bf42e1e78541125bac20aa2ae42a85e843bab3891ac108ac82a18f9d252e735def68d8fe9107fea1f182000a
SSDEEP

6144:rKWlw1DxD2ASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2E:r7lw1DxS5zfXeYU43fiysgfBnnl2E

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000016fc9-6.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2788	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe
2880	d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2880	d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe
2788	ocs_v71a.exe
2788	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2788	2880	d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe	30
PID 2880 wrote to memory of 2788	2880	d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe	30
PID 2880 wrote to memory of 2788	2880	d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe	30
PID 2880 wrote to memory of 2788	2880	d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe	30

C:\Users\Admin\AppData\Local\Temp\d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe
"C:\Users\Admin\AppData\Local\Temp\d5f7c28345ed86db6a1c64878b5099a9c51c33421368bfc1670c706a8b771a18.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54396726 -chipde -441c9e95939142918b2b102b6ef6ae06 - -BLUB1 -pcdwwjnnvwukecsg -524682
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\pcdwwjnnvwukecsg.dat

Filesize
81B

MD5
82d501460622b4418998faf6355be42f

SHA1
90ec34cb801390e8909a430bd2cfbad62dca555c

SHA256
524f8f4b558a441298a50a7857ce2943ac765d86cb391a9eb5e0dd798ef5a15c

SHA512
4a87ced025f39538de858fcacce892650a053ff8329600508ef936815bf923b34e3b6525dc02b85a3a3f09cbb43b38ea3b1a3262b0d636c6ae0edf2e3fc9b581

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/2788-19-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-22-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-13-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-16-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-17-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-18-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-12-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

Filesize
4KB

Download
memory/2788-20-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-21-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

Filesize
4KB

Download
memory/2788-14-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-23-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-24-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-25-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-26-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-27-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-28-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2788-29-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing