revengerat | 21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331b

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
24/01/2025, 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe
Size

614KB
MD5

af1725436c92f3309d72a7f98d6b0e70
SHA1

e3fb24728cf935bd4c6488087dd2a29e94f2eded
SHA256

21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331b
SHA512

d521a25a408af2c74cb097566a47a4f2f224054ef63d4cab0e2264641727928cb18daf8bbf237b9200d2dcc08d3f2809a23bddddbf05705813bab00c0ed7d696
SSDEEP

12288:i7lw1DxbpefX4qkkn9wifVzo6mj+ysgfBnnl2F:i7m1DLqkknljmj+ysgpnncF

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000016d2a-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2508	ocs_v71b.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe
2928	21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2928	21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe
2508	ocs_v71b.exe
2508	ocs_v71b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2508	2928	21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe	30
PID 2928 wrote to memory of 2508	2928	21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe	30
PID 2928 wrote to memory of 2508	2928	21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe	30
PID 2928 wrote to memory of 2508	2928	21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe	30

C:\Users\Admin\AppData\Local\Temp\21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe
"C:\Users\Admin\AppData\Local\Temp\21955da530ea83552c8e93381f4660d9a0fab2443d996d2bc1bbfbad96a8331bN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe -install -54415075 -chipde -3f4cad91c7dd4d608a78e35bdc824fa7 - -BLUB1 -spekkblwmvlbksub -917918
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\spekkblwmvlbksub.dat

Filesize
57B

MD5
017065f3405d83ac248980ccc95e39a8

SHA1
93a512b36433730d3fe0438d2aef202f6ab7a325

SHA256
34f706d612784e29f64e1d3039a7f03415363ac57fa2c21922b77c5a71a64e9c

SHA512
e58b450720759ca0245200f342ab171d8f5e9e235cf9ee19cfc40b544a3351b4427046843bbcf8385d687145528e2f920acb00d08624f6c993c697d7ee4fbac1

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71b.exe

Filesize
304KB

MD5
7b3b5db5fdd271811f9f22d52ee36e9d

SHA1
dae3b80a567aa739fa54d4c896a2cfe0f9718180

SHA256
c5e83f41df5b4158994a29122874c3ff26d5e5877eb9a1dc109693d8ea41cea2

SHA512
91ae6be31c599344f44fc5decd2d51f7ff2e86da53089c8f5a821c71853c0603e613c2455eedbf55970bda34e2f74547105b27d53dfdf5c47b81e648cdc3ced2

Download Submit
memory/2508-17-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-14-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-13-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-16-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-12-0x000007FEF616E000-0x000007FEF616F000-memory.dmp

Filesize
4KB

Download
memory/2508-18-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-19-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-20-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-21-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-22-0x000007FEF616E000-0x000007FEF616F000-memory.dmp

Filesize
4KB

Download
memory/2508-23-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-25-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-24-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

Filesize
9.6MB

Download