revengerat | 1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60

General

Target

1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe
Size

600KB
MD5

2d0843a7b4b28a7fbf9d05e127cc44e0
SHA1

2c7893bb169a3f532e92c3779df7849df5b3c016
SHA256

1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60
SHA512

be28990f8915c32db46add1dcbc5b82482445ec3567688d34b3828fa05fa4e1b90aebc7f5c1dccf8fee282afe2622f732f6753b0ef3adf777c5df8611dccfa81
SSDEEP

6144:BKWlw1DxDCASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2:B7lw1DxG5zfXeYU43fiysgfBnnl2

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0006000000019643-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2928	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe
2804	1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2804	1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe
2928	ocs_v71a.exe
2928	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2928	2804	1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe	30
PID 2804 wrote to memory of 2928	2804	1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe	30
PID 2804 wrote to memory of 2928	2804	1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe	30
PID 2804 wrote to memory of 2928	2804	1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe	30

C:\Users\Admin\AppData\Local\Temp\1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe
"C:\Users\Admin\AppData\Local\Temp\1ba05acf809661cf25b054b60abb83c44a3c6d792022c47df30c6b03687f2c60N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54482678 -chipde -bb6f3e50b24a4fe796f6ae5edba5dab6 - -ChromeBundle -xujjsokhcfowrzbb -393502
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\xujjsokhcfowrzbb.dat

Filesize
83B

MD5
20d0b3f7c7b488538c15367387f218ad

SHA1
5ecde4f4d2d87e7a7411325517e2aa13a0a95e3b

SHA256
c4772af52d617b04b6992df7d033fc6a1a7778c631761dcd6faf21f09ab8f006

SHA512
e25d4a90cdeb0a33b19404408e8d260ef9117d0ef6e2e323f7d51cbab174fcbdb079af407b2d5703820e9faeca6f92e6a3ced950a5b3c9477bc0cbdc3190f842

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/2928-19-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-20-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-13-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-16-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-17-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-18-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-12-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

Filesize
4KB

Download
memory/2928-14-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-21-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-22-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-23-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-24-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-25-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download
memory/2928-26-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing