crimsonrat

Sharing

Copy URL

Twitter E-mail

General

Target

RAT.zip
Size

4.6MB
Sample

240303-bljhrsah7x
MD5

dcedb9512531b041cb158200ebf0903a
SHA1

13b4817400f28e7728bd3b73ca305f68de9a05da
SHA256

0d6e873aa8faee0a896e6ac7679a216585933bc29bdd2c1bc006ce56a6e86818
SHA512

dc9c0faed5d66855d8a48b87ccb1c29c33628ea44c83fa36a6a48ce043af89be6d9f4f9989fb1b5860ae4478a4e8aaae15b1e515e92147676b84b84219fa3160
SSDEEP

98304:3Jgh27PjFtfeDmhXdckuXqxlPaD3xzt5XVn5/3t6:3JghwCD0adIpaDlttdn6

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes

reg_key
b9584a316aeb9ca9b31edd4db18381f5
splitter
Y262SUCZ4UJJ

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

netwire

tamerimia.ug:6975

vbchjfssdfcxbcver.ru:6975

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
AAAAA
lock_executable
false
mutex
CQbRXVuG
offline_keylogger
false
password
jhbkdcfgvdfgknl
registry_autorun
false
use_mutex
true

Extracted

Family

warzonerat

168.61.222.215:5400

Extracted

Family

metasploit

Version

windows/download_exec

http://149.129.72.37:23456/SNpK

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

crimsonrat

185.136.161.124

Targets

- Target
  
  RAT/Adwind.exe
- Size
  
  5KB
- MD5
  
  fe537a3346590c04d81d357e3c4be6e8
- SHA1
  
  b1285f1d8618292e17e490857d1bdf0a79104837
- SHA256
  
  bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
- SHA512
  
  50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
- SSDEEP
  
  96:w9fXh7CBF8l1cHRDOjY4YbiPkW7UW1g+dWi9sBSy3HQNm6wx2xC7vz5:GXh78hHRDOU4YWPk2J14i9E3ymBxW+
Score

10^/10

njrat remcos discovery rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies file permissions
  discovery
behavioral1 behavioral2
- Target
  
  RAT/Blackkomet.exe
- Size
  
  756KB
- MD5
  
  c7dcd585b7e8b046f209052bcd6dd84b
- SHA1
  
  604dcfae9eed4f65c80a4a39454db409291e08fa
- SHA256
  
  0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
- SHA512
  
  c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
- SSDEEP
  
  12288:XOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQ3:eANOCS6qwWB0V5o8mnqvtrdgDQ3
Score

10^/10

darkcomet evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  RAT/CobaltStrike.doc
- Size
  
  86KB
- MD5
  
  96ff9d4cac8d3a8e73c33fc6bf72f198
- SHA1
  
  17d7edf6e496dec4695d686e7d0e422081cd5cbe
- SHA256
  
  96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d
- SHA512
  
  23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46
- SSDEEP
  
  1536:lDZnLvdWcSVUj473eXfb6K3ABfSlH+ArfocK4XEorNColhVDo8NYzyReCxRVZs+x:vDAzVY4zSfb6mABfSleqocKg7Bo8NiCR
Score

10^/10

metasploit backdoor trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
behavioral5 behavioral6
- Target
  
  RAT/CrimsonRAT.exe
- Size
  
  84KB
- MD5
  
  b6e148ee1a2a3b460dd2a0adbf1dd39c
- SHA1
  
  ec0efbe8fd2fa5300164e9e4eded0d40da549c60
- SHA256
  
  dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
- SHA512
  
  4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
- SSDEEP
  
  1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG
Score

10^/10

crimsonrat rat
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral7 behavioral8
- Target
  
  RAT/NJRat.exe
- Size
  
  31KB
- MD5
  
  29a37b6532a7acefa7580b826f23f6dd
- SHA1
  
  a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
- SHA256
  
  7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
- SHA512
  
  a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
- SSDEEP
  
  768:64+64ZRzo+zxJ+lS7gqzZ5XvzpQmIDUu0ti69j:xM3/Bh1QVkvj
Score

10^/10

njrat evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
behavioral10 behavioral9
- Target
  
  RAT/NetWire.doc
- Size
  
  7.3MB
- MD5
  
  6b23cce75ff84aaa6216e90b6ce6a5f3
- SHA1
  
  e6cc0ef23044de9b1f96b67699c55232aea67f7d
- SHA256
  
  9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
- SHA512
  
  4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125
- SSDEEP
  
  49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral11 behavioral12
- Target
  
  RAT/NetWire.exe
- Size
  
  1.2MB
- MD5
  
  7621f79a7f66c25ad6c636d5248abeb9
- SHA1
  
  98304e41f82c3aee82213a286abdee9abf79bcce
- SHA256
  
  086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
- SHA512
  
  59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd
- SSDEEP
  
  24576:nBlDgE7EmXWAqSvg439vGSVNe1/hqIiHSvd7:n7DlC+GSjiBiyF
Score

10^/10

modiloader netwire botnet persistence rat stealer trojan
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- ModiLoader First Stage
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  RAT/Remcos.exe
- Size
  
  92KB
- MD5
  
  fb598b93c04baafe98683dc210e779c9
- SHA1
  
  c7ccd43a721a508b807c9bf6d774344df58e752f
- SHA256
  
  c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4
- SHA512
  
  1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f
- SSDEEP
  
  1536:AhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6brM:GhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+7
Score

10^/10

remcos host evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  RAT/RevengeRAT.exe
- Size
  
  4.0MB
- MD5
  
  1d9045870dbd31e2e399a4e8ecd9302f
- SHA1
  
  7857c1ebfd1b37756d106027ed03121d8e7887cf
- SHA256
  
  9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885
- SHA512
  
  9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909
- SSDEEP
  
  1536:SGZiTHzreu+4SHYEJicHHkxcPiwlJ6BjQaJ7ehgQpmnp3bDBq+AD3tSYxV:Z8AHxicHEuP5l/aJ7ehgiYDk9SYz
Score

10^/10

revengerat guest persistence stealer trojan
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- RevengeRat Executable
  stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  RAT/VanToM-Rat.bat
- Size
  
  183KB
- MD5
  
  3d4e3f149f3d0cdfe76bf8b235742c97
- SHA1
  
  0e0e34b5fd8c15547ca98027e49b1dcf37146d95
- SHA256
  
  b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
- SHA512
  
  8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
- SSDEEP
  
  3072:UurlxKcmWTTt7Zde2vBVQF4EWjFRA229YvepcCBKXnpU:vrlOWFddeAVQF4EWx92iepcCBK3
Score

7^/10

persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral19 behavioral20
- Target
  
  RAT/WarzoneRAT.exe
- Size
  
  321KB
- MD5
  
  600e0dbaefc03f7bf50abb0def3fb465
- SHA1
  
  1b5f0ac48e06edc4ed8243be61d71077f770f2b4
- SHA256
  
  61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
- SHA512
  
  151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
- SSDEEP
  
  6144:62GhN2db088fTdUuNU0we+HPps1zcJLVPzGKfwQ7PHC3NJTyhtPB1m:62iNG088fTWsU0wJBsGJPf4Q7PHC3NJ8
Score

10^/10

warzonerat infostealer rat rezer0
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral21 behavioral22