revengerat | 179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244

General

Target

179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe
Size

598KB
MD5

14b3c2175dec72dd1c2a55f8ec14e6b0
SHA1

cd901cd435d5aafcedd8d31ee8bfd27bbcc7e832
SHA256

179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244
SHA512

b521c13bb464728cf510a0d4ff9de6311a669651d6cd33b131573225de0b27c246ffd42156f62926e3b4278f83968c4c200219d7f54ed964aa7030a68519fba5
SSDEEP

6144:hKWlw1DxD+ASIAfCEv2YUMNJlaJuNlK17Y4c83fhysVufBn597NX2V:h7lw1Dxq5zfXeYU43fiysgfBnnl2V

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000018741-5.dat	revengerat

Executes dropped EXE 1 IoCs

pid	Process
2500	ocs_v71a.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe
2860	179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2860	179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe
2500	ocs_v71a.exe
2500	ocs_v71a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2500	2860	179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe	31
PID 2860 wrote to memory of 2500	2860	179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe	31
PID 2860 wrote to memory of 2500	2860	179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe	31
PID 2860 wrote to memory of 2500	2860	179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe	31

C:\Users\Admin\AppData\Local\Temp\179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe
"C:\Users\Admin\AppData\Local\Temp\179970383746bc4e213aa3c5e19305d5e84ea7296f038d3014575f4321610244N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe
  C:\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe -install -54383364 -chipde -11ec508851b9429fbbf18a77eb03178c - -ChromeBundle -rujgqfpovigoesxk -459162
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OCS\rujgqfpovigoesxk.dat

Filesize
83B

MD5
c8400facd961d8eb68471bb7715e54b4

SHA1
a9654557d45576aae94220de341064aef8c13beb

SHA256
02c873b3514e4f6f4367a8371aae0766250c301371ff3817da666be43026bfd4

SHA512
6908ee9484fab0fab3f523b9bc3ddf74f6705c1220a74fc5ce5f9f93bd4d67c592fdd680b9693a7abc5bd73efd2f97176d226f3cbb0c591532a51095dce2f3e1

Download Submit
\Users\Admin\AppData\Local\Temp\OCS\ocs_v71a.exe

Filesize
288KB

MD5
317ec5f92cfbf04a53e8125b66b3b4af

SHA1
16068b8977b4dc562ae782d91bc009472667e331

SHA256
7612ef3877c3e4e305a6c22941141601b489a73bc088622a40ebd93bee25bae5

SHA512
ed772da641a5c128677c4c285c648c1d8e539c34522b95c14f614797bb0d188571c7c257441d45598809aa3f8b4690bd53230282726e077c86c8d9fe71c1db65

Download Submit
memory/2500-19-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-17-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-13-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-16-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-18-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-20-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-12-0x000007FEF68EE000-0x000007FEF68EF000-memory.dmp

Filesize
4KB

Download
memory/2500-14-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-21-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-22-0x000007FEF68EE000-0x000007FEF68EF000-memory.dmp

Filesize
4KB

Download
memory/2500-23-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-24-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-25-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-26-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-27-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-28-0x000007FEF6630000-0x000007FEF6FCD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing