Extracted

• • Target

    google chrome.vbs

  • Size

    70B

  • MD5

    a8f9c450316c75f40e9f809fb65baca5

  • SHA1

    e4a9a0ceeb77653f64469442ede3e7426762d25e

  • SHA256

    f32fd9c137672a426d418f52069fc716ecbb5d32fdb2954c1771a8d90435ff31

  • SHA512

    fc050c7b5e2e76763912e65781987023839be8e8e096bf5ce61614357ab6196cad8b57809e201e73c1666ee2f66ce36ecbf3a096825947d865bfc24819ccdde9

  Score

  10^/10

  crimsonratdharmapersistenceransomwareratspywarestealer

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Renames multiple (536) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Downloads MZ/PE file

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Drops file in System32 directory

  behavioral1