crimsonrat | 4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e

General

Target

4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
Size

59KB
MD5

04f60dd495708663a410f38db90a5592
SHA1

b2a517f140c0064dd7384c0aeee0c0471bcad126
SHA256

4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e
SHA512

5058fed79826dc45acd7f77cfd3c080dbd708ddcda565c41d8c9e38bcd5aca9551b426abfe6033301833dd7f98783ff0d8da14b514e820de780295758376ecdc

Score

10^/10

crimsonrat rat

Malware Config

Signatures

CrimsonRAT Main Payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Dhonvdh\ithmrdrvas.exe	family_crimsonrat
C:\ProgramData\Dhonvdh\ithmrdrvas.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Executes dropped EXE 1 IoCs

Processes:

ithmrdrvas.exe

pid process

1696 ithmrdrvas.exe

pid	process
1696	ithmrdrvas.exe

Drops file in Program Files directory 2 IoCs

Processes:

4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe

description	ioc	process
File created	C:\PROGRA~3\Dhonvdh\ithmrdrvas.exe	4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
File opened for modification	C:\PROGRA~3\Dhonvdh\ithmrdrvas.exe	4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe

description	pid	process	target process
PID 1868 wrote to memory of 1696	1868	4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe	ithmrdrvas.exe
PID 1868 wrote to memory of 1696	1868	4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe	ithmrdrvas.exe
PID 1868 wrote to memory of 1696	1868	4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe	ithmrdrvas.exe

C:\Users\Admin\AppData\Local\Temp\4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
"C:\Users\Admin\AppData\Local\Temp\4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1868
- C:\ProgramData\Dhonvdh\ithmrdrvas.exe
  "C:\ProgramData\Dhonvdh\ithmrdrvas.exe"
  2⤵
  - Executes dropped EXE
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dhonvdh\ithmrdrvas.exe

Filesize
9.3MB

MD5
8930f5a56afe4a9f02c01c6c6b647da0

SHA1
b1000f35e9150d59b0849a662d35f69e67294a51

SHA256
09aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d

SHA512
05ed5347ffd7bfd1692d7f61f1a051d9377710abdd366ef05ca399566d01cb3bb4065a0693f85ca1e5455452ce3cda2a795f73f259ba3158492f2fb62165b1dc

Download Submit
C:\ProgramData\Dhonvdh\ithmrdrvas.exe

Filesize
9.3MB

MD5
8930f5a56afe4a9f02c01c6c6b647da0

SHA1
b1000f35e9150d59b0849a662d35f69e67294a51

SHA256
09aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d

SHA512
05ed5347ffd7bfd1692d7f61f1a051d9377710abdd366ef05ca399566d01cb3bb4065a0693f85ca1e5455452ce3cda2a795f73f259ba3158492f2fb62165b1dc

Download Submit
memory/1696-56-0x0000000000000000-mapping.dmp

Download
memory/1696-59-0x000007FEEDC40000-0x000007FEEECD6000-memory.dmp

Filesize
16.6MB

Download
memory/1696-60-0x0000000000D06000-0x0000000000D25000-memory.dmp

Filesize
124KB

Download
memory/1868-54-0x000007FEEDC40000-0x000007FEEECD6000-memory.dmp

Filesize
16.6MB

Download
memory/1868-55-0x0000000000A66000-0x0000000000A85000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads