Malware Analysis Report

2024-10-19 10:21

Sample ID 220121-2w92ksccgl
Target e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584
SHA256 e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584
Tags
crimsonrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584

Threat Level: Known bad

The file e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584 was found to be: Known bad.

Malicious Activity Summary

crimsonrat rat

CrimsonRAT Main Payload

CrimsonRat

Executes dropped EXE

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-21 22:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 22:57

Reported

2022-01-21 23:26

Platform

win7-en-20211208

Max time kernel

124s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe"

Signatures

CrimsonRAT Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Detharis\dhrwarhsav.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Detharis\dhrwarhsav.exe C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe N/A
File opened for modification C:\PROGRA~3\Detharis\dhrwarhsav.exe C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe

"C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe"

C:\ProgramData\Detharis\dhrwarhsav.exe

"C:\ProgramData\Detharis\dhrwarhsav.exe"

Network

Country Destination Domain Proto
US 107.175.64.209:6728 tcp
US 107.175.64.209:8661 tcp

Files

memory/1116-55-0x0000000000590000-0x0000000000592000-memory.dmp

memory/1116-56-0x000007FEF2A50000-0x000007FEF3AE6000-memory.dmp

memory/1116-57-0x0000000000596000-0x00000000005B5000-memory.dmp

C:\ProgramData\Detharis\dhrwarhsav.exe

MD5 e0db666fff1c8ac20106aa04b20b7b2e
SHA1 9ff84c539401626a0fa95cef4e448e7675785a20
SHA256 c22c8d74daac7596b4816de5b7549927a01f65669aed7f52e382d151deb76080
SHA512 cac85784d1c46c89e9871e6ae011573b09328b98a6ef85ebc4f73bab3ae5e0ed88d7d13167d466805c3bbf5eb505a239395a06e689c10ca8808a2472b4630e67

C:\ProgramData\Detharis\dhrwarhsav.exe

MD5 e0db666fff1c8ac20106aa04b20b7b2e
SHA1 9ff84c539401626a0fa95cef4e448e7675785a20
SHA256 c22c8d74daac7596b4816de5b7549927a01f65669aed7f52e382d151deb76080
SHA512 cac85784d1c46c89e9871e6ae011573b09328b98a6ef85ebc4f73bab3ae5e0ed88d7d13167d466805c3bbf5eb505a239395a06e689c10ca8808a2472b4630e67

memory/1804-60-0x000007FEF2A50000-0x000007FEF3AE6000-memory.dmp

memory/1804-62-0x0000000000B46000-0x0000000000B65000-memory.dmp

memory/1804-61-0x0000000000B40000-0x0000000000B42000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-21 22:57

Reported

2022-01-21 23:26

Platform

win10-en-20211208

Max time kernel

165s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe"

Signatures

CrimsonRAT Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Detharis\dhrwarhsav.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe

"C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe"

C:\ProgramData\Detharis\dhrwarhsav.exe

"C:\ProgramData\Detharis\dhrwarhsav.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 72.21.91.29:80 tcp
US 20.189.173.1:443 tcp
US 107.175.64.209:6728 tcp

Files

memory/2628-115-0x0000000002750000-0x0000000002752000-memory.dmp

C:\ProgramData\Detharis\dhrwarhsav.exe

MD5 e0db666fff1c8ac20106aa04b20b7b2e
SHA1 9ff84c539401626a0fa95cef4e448e7675785a20
SHA256 c22c8d74daac7596b4816de5b7549927a01f65669aed7f52e382d151deb76080
SHA512 cac85784d1c46c89e9871e6ae011573b09328b98a6ef85ebc4f73bab3ae5e0ed88d7d13167d466805c3bbf5eb505a239395a06e689c10ca8808a2472b4630e67

C:\ProgramData\Detharis\dhrwarhsav.exe

MD5 e0db666fff1c8ac20106aa04b20b7b2e
SHA1 9ff84c539401626a0fa95cef4e448e7675785a20
SHA256 c22c8d74daac7596b4816de5b7549927a01f65669aed7f52e382d151deb76080
SHA512 cac85784d1c46c89e9871e6ae011573b09328b98a6ef85ebc4f73bab3ae5e0ed88d7d13167d466805c3bbf5eb505a239395a06e689c10ca8808a2472b4630e67

memory/1716-119-0x0000000003080000-0x0000000003082000-memory.dmp

memory/2628-120-0x0000000002752000-0x0000000002754000-memory.dmp

memory/1716-122-0x0000000003082000-0x0000000003084000-memory.dmp