Malware Analysis Report

2024-10-19 10:21

Sample ID 220121-2zqr4scag6
Target e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024
SHA256 e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024
Tags
crimsonrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024

Threat Level: Known bad

The file e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024 was found to be: Known bad.

Malicious Activity Summary

crimsonrat rat

CrimsonRAT Main Payload

CrimsonRat

Executes dropped EXE

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-21 23:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-21 23:01

Reported

2022-01-21 23:14

Platform

win7-en-20211208

Max time kernel

132s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"

Signatures

CrimsonRAT Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Hdlharas\dlrarhsiva.exe C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe N/A
File opened for modification C:\PROGRA~3\Hdlharas\dlrarhsiva.exe C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe

"C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

Network

Country Destination Domain Proto
FR 185.136.161.124:6128 tcp
FR 185.136.161.124:8761 tcp

Files

memory/2008-55-0x00000000002C0000-0x0000000000340000-memory.dmp

memory/2008-56-0x000007FEF29E0000-0x000007FEF3A76000-memory.dmp

memory/2008-57-0x00000000002C0000-0x0000000000340000-memory.dmp

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 b35ab8d47748801afa154144c2891dc4
SHA1 c2c356c1a6abd7858d9a143da35c7fadff9f8edb
SHA256 15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c
SHA512 a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 b35ab8d47748801afa154144c2891dc4
SHA1 c2c356c1a6abd7858d9a143da35c7fadff9f8edb
SHA256 15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c
SHA512 a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45

memory/1552-60-0x000007FEF29E0000-0x000007FEF3A76000-memory.dmp

memory/1552-61-0x0000000002870000-0x0000000002872000-memory.dmp

memory/1552-62-0x0000000002876000-0x0000000002895000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-21 23:01

Reported

2022-01-21 23:16

Platform

win10-en-20211208

Max time kernel

190s

Max time network

222s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"

Signatures

CrimsonRAT Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe

"C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

Network

Country Destination Domain Proto
SE 23.52.27.27:80 tcp
FR 185.136.161.124:6128 tcp

Files

memory/1332-115-0x0000000000C40000-0x0000000000C42000-memory.dmp

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 b35ab8d47748801afa154144c2891dc4
SHA1 c2c356c1a6abd7858d9a143da35c7fadff9f8edb
SHA256 15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c
SHA512 a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 b35ab8d47748801afa154144c2891dc4
SHA1 c2c356c1a6abd7858d9a143da35c7fadff9f8edb
SHA256 15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c
SHA512 a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45

memory/1900-118-0x0000000002E90000-0x0000000002E92000-memory.dmp

memory/1900-119-0x0000000002E92000-0x0000000002E94000-memory.dmp