crimsonrat | dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

Analysis

max time kernel
15s
max time network
18s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrimsonRAT.exe
Size

84KB
MD5

b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1

ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256

dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA512

4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
SSDEEP

1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002400000001495c-24.dat	family_crimsonrat
behavioral1/files/0x002400000001495c-25.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

pid	Process
2712	dlrarhsiva.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\Hdlharas\dlrarhsiva.exe	CrimsonRAT.exe
File created	C:\PROGRA~3\Hdlharas\dlrarhsiva.exe	CrimsonRAT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2712	1204	CrimsonRAT.exe	28
PID 1204 wrote to memory of 2712	1204	CrimsonRAT.exe	28
PID 1204 wrote to memory of 2712	1204	CrimsonRAT.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1204
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
896KB

MD5
5c205ad83528ac3bca2f10c246f1b936

SHA1
d5bad990ed1581b2b8c05f3d58e58cab2cb37e2c

SHA256
99b2f537671d82ec445f3b492a74e652f6e8fc91d7f6a5873ea416a37968df40

SHA512
06794b02c59bcb6581d95194fdc6ff665a50f5bce82c66f036abcb1f711814e4db44c95f1b81210e3fff82952d15cb7caac300c17e17c92a44e132b16367a4a9

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
1024KB

MD5
2dc76c3deab4660fd13da6ebcc6e4e3e

SHA1
f247ca54c8c3117c05da9c1bc442e8dcd73dfe8f

SHA256
f3a069d4c2be1c8a8a989c8902c39eb924a23016954554e84828849cfeb40121

SHA512
abfb0ea0f5fecda59f6e577013d426e8fd912779890a63a7d65f7a25d7e3d301cb5af8255d7283b8932c0ec4fe5d8987c471846bb33a48bd2271a67d6f0af908

Download Submit
memory/1204-0-0x0000000000300000-0x000000000031E000-memory.dmp

Filesize
120KB

Download
memory/1204-1-0x000007FEF6040000-0x000007FEF6A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1204-2-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/1204-30-0x000007FEF6040000-0x000007FEF6A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-27-0x0000000000F10000-0x0000000001824000-memory.dmp

Filesize
9.1MB

Download
memory/2712-28-0x000007FEF6040000-0x000007FEF6A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-29-0x000000001BC90000-0x000000001BD10000-memory.dmp

Filesize
512KB

Download