crimsonrat | 47817a270025ca718a26ff6c2f6fcb445319e67ca07d401779210cc84051c03e | Triage

Submit
Reports

Overview

overview

Static

static

e87978f0af...e0.exe

windows11-21h2-x64

Sharing

General

Target

240202-r9txeagfe6_pw_infected.zip
Size

2.4MB
Sample

240211-mcptzafb2v
MD5

e638808926fca58b1d98e16f8c735ff4
SHA1

d4afd529e4e62547c9bf0a65a882b585d569c1ca
SHA256

47817a270025ca718a26ff6c2f6fcb445319e67ca07d401779210cc84051c03e
SHA512

afa81653af53a2a5f4657c4cf7bc658872abbfee9903d89db5e7baac00762ee30dc76d405f552031740913e21368913107170910211c7dbebe6bdc2d31817856
SSDEEP

49152:rDgDxzEAIRAFiPM4UYpLrhPkyAzxOOnG6hcb0UWCczu3KpGgI8JKJ+yQPI1EXBvi:rVgoM4Nr+yAJnDa0UWvu6pGgI8JA+yWE

Score

10^/10

crimsonrat discovery persistence rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

e87978f0af9bb550ab4686a7d3657e6cbfd92347744dfce8ff2321781ac2eee0.exe

Resource

win11-20231215-en

crimsonrat discovery persistence rat

windows11-21h2-x64

20 signatures

1800 seconds

Malware Config

Extracted

Family

crimsonrat

C2

164.68.122.64

Targets

- Target
  
  e87978f0af9bb550ab4686a7d3657e6cbfd92347744dfce8ff2321781ac2eee0.exe
- Size
  
  18.7MB
- MD5
  
  f5380e7a6e15a0ef27e6f31fcc29ed4d
- SHA1
  
  ee9d4e5c19dc910ae46f8637ad6d738b55971238
- SHA256
  
  e87978f0af9bb550ab4686a7d3657e6cbfd92347744dfce8ff2321781ac2eee0
- SHA512
  
  795fb7bf5bf9b6b909735a3851c8df268c750d37ebc39fc446d655a5976a0e4ba39b19aa6ab8a7c7047bc8dfd30b26ea813fd614f4c29d867caac29df4ebfd7e
- SSDEEP
  
  49152:a/6HjgQAOk7lEX8YHrdDTrr9mJjA1hcu9K5KP497IffvGe:U6Hj5AOkmMYLdf9m6V/1ffue
Score

10^/10

crimsonrat discovery persistence rat
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Registers COM server for autorun
  persistence
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Change Default File Association

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

crimsonratdiscoverypersistencerat

© 2018-2024

Terms | Privacy