crimsonrat | 108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3

General

Target

108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe
Size

1013KB
MD5

bd0c697c1bb3128d887f5af37b363061
SHA1

7be657c8e978a035ef6b3f16a97c6e4a16fa75cc
SHA256

108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3
SHA512

92323c92b7b3c4196f3b8973d156ea49fa77a6fade1ff92c996155b0ab8c05cf2be3ab7c356dc5c18382fcbf6600a3407b088987e27a8a7ada94a8edd431b4fc

Score

10^/10

Malware Config

Signatures

CrimsonRAT Main Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000013327-57.dat	family_crimsonrat
behavioral1/files/0x0006000000013327-59.dat	family_crimsonrat
behavioral1/files/0x0006000000013327-58.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

pid	Process
568	radhrviga.exe

Loads dropped DLL 1 IoCs

pid	Process
288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\AdobIR\radhrviga.exe	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe
File opened for modification	C:\PROGRA~3\AdobIR\radhrviga.exe	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
852	AcroRd32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
852	AcroRd32.exe
852	AcroRd32.exe
852	AcroRd32.exe
852	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 568	288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe	27
PID 288 wrote to memory of 568	288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe	27
PID 288 wrote to memory of 568	288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe	27
PID 288 wrote to memory of 568	288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe	27
PID 288 wrote to memory of 852	288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe	28
PID 288 wrote to memory of 852	288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe	28
PID 288 wrote to memory of 852	288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe	28
PID 288 wrote to memory of 852	288	108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe	28

C:\Users\Admin\AppData\Local\Temp\108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe
"C:\Users\Admin\AppData\Local\Temp\108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:288
- C:\ProgramData\AdobIR\radhrviga.exe
  "C:\ProgramData\AdobIR\radhrviga.exe"
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\108ea9a83499004c3b618a2d547bdcdd470a7012ed0eba1dcf5bdca93beb4bb3.exe_3 .pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-54-0x00000000011E0000-0x00000000012E4000-memory.dmp

Filesize
1.0MB

Download
memory/288-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/288-56-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/568-62-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing