Overview

overview

10

Static

static

3

CrimsonRAT.exe

windows7-x64

10

CrimsonRAT.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2024 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CrimsonRAT.exe

  • Size

    84KB

  • MD5

    b6e148ee1a2a3b460dd2a0adbf1dd39c

  • SHA1

    ec0efbe8fd2fa5300164e9e4eded0d40da549c60

  • SHA256

    dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

  • SHA512

    4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

  • SSDEEP

    1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score
10/10
crimsonratrat

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • CrimsonRAT main payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\ProgramData\Hdlharas\dlrarhsiva.exe
      "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
      2⤵
      • Executes dropped EXE
      PID:3092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Hdlharas\dlrarhsiva.exe
    Filesize

    4.9MB

    MD5

    d3603c3613f8fecdc0c15edda239d8ae

    SHA1

    d1467b8b58a139866d432bc45c31469bab94383c

    SHA256

    5464f0dada06805283631741d73b775249f08b6a76ee15c10175a3b628963877

    SHA512

    34d516a8d408bf63c79231870481cd2de2cf2e1651c949ee7b5904e217be7622700c74f8a9be3b88a846351029cdf8b4067c4582cceeb5417ebcca2cbba9b321

    Download Submit

  • C:\ProgramData\Hdlharas\dlrarhsiva.exe
    Filesize

    384KB

    MD5

    534b9391200855b698e894a71e5ba3fa

    SHA1

    6a05233273305ef5c21a75750214cb808aac983f

    SHA256

    0df0a7941a95e86b6d6dba9d26a592c16feaf4a80bb6e29ef602acc0fa44f264

    SHA512

    2bf8264fe254e061f13ebd8d2d174d0121c886a4ccf6e3b815036125a5117a475014200e897896e6627260f2fb4d2dc243814d70ec51e9225db547f744841fdf

    Download Submit

  • C:\ProgramData\Hdlharas\mdkhm.zip
    Filesize

    56KB

    MD5

    b635f6f767e485c7e17833411d567712

    SHA1

    5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

    SHA256

    6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

    SHA512

    551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

    Download Submit

  • memory/992-0-0x000002064E420000-0x000002064E43E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/992-1-0x00007FFD914D0000-0x00007FFD91F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/992-2-0x0000020668A70000-0x0000020668A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/992-38-0x00007FFD914D0000-0x00007FFD91F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3092-34-0x00007FFD914D0000-0x00007FFD91F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3092-35-0x000001A72DE80000-0x000001A72E794000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/3092-36-0x000001A748E70000-0x000001A748E80000-memory.dmp

    Filesize

    64KB

    Download