Malware Analysis Report

2024-10-19 10:21

Sample ID 220121-2rn9babga4
Target feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767
SHA256 feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767
Tags
crimsonrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767

Threat Level: Known bad

The file feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767 was found to be: Known bad.

Malicious Activity Summary

crimsonrat

CrimsonRAT Main Payload

Crimsonrat family

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-01-21 22:49

Signatures

CrimsonRAT Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Crimsonrat family

crimsonrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 22:49

Reported

2022-01-21 22:51

Platform

win7-en-20211208

Max time kernel

135s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe

"C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe"

Network

Country Destination Domain Proto
DE 173.212.228.121:2836 tcp
DE 173.212.228.121:5638 tcp
DE 173.212.228.121:8626 tcp

Files

memory/744-53-0x0000000001270000-0x000000000145C000-memory.dmp

memory/744-54-0x0000000076041000-0x0000000076043000-memory.dmp

memory/744-55-0x0000000004F40000-0x0000000004F41000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-21 22:49

Reported

2022-01-21 22:52

Platform

win10-en-20211208

Max time kernel

162s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe

"C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe"

Network

Country Destination Domain Proto
DE 173.212.228.121:2836 tcp
DE 173.212.228.121:5638 tcp
DE 173.212.228.121:8626 tcp

Files

memory/2324-115-0x0000000000BA0000-0x0000000000D8C000-memory.dmp

memory/2324-116-0x0000000005C20000-0x000000000611E000-memory.dmp

memory/2324-117-0x0000000005720000-0x00000000057B2000-memory.dmp

memory/2324-118-0x0000000005720000-0x0000000005C1E000-memory.dmp

memory/2324-119-0x00000000056F0000-0x00000000056FA000-memory.dmp