crimsonrat | 0d6e873aa8faee0a896e6ac7679a216585933bc29bdd2c1bc006ce56a6e86818

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-03-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/CrimsonRAT.exe
Size

84KB
MD5

b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1

ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256

dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA512

4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
SSDEEP

1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 3 IoCs

Processes:

resource	yara_rule
behavioral7/files/0x00060000000167db-24.dat	family_crimsonrat
behavioral7/files/0x00060000000167db-26.dat	family_crimsonrat
behavioral7/files/0x00060000000167db-25.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

Processes:

dlrarhsiva.exe

pid	Process
2540	dlrarhsiva.exe

Drops file in Program Files directory 2 IoCs

Processes:

CrimsonRAT.exe

description	ioc	Process
File created	C:\PROGRA~3\Hdlharas\dlrarhsiva.exe	CrimsonRAT.exe
File opened for modification	C:\PROGRA~3\Hdlharas\dlrarhsiva.exe	CrimsonRAT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

CrimsonRAT.exe

description	pid	Process	procid_target
PID 1056 wrote to memory of 2540	1056	CrimsonRAT.exe	28
PID 1056 wrote to memory of 2540	1056	CrimsonRAT.exe	28
PID 1056 wrote to memory of 2540	1056	CrimsonRAT.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\RAT\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\CrimsonRAT.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1056
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
2.5MB

MD5
cef73a0bf7b40c0f1a564acb3abdb05d

SHA1
9d5c9629f15a4669ac6ae9399159af1f84236ff0

SHA256
9bf6c1c84c60cf2165216c425b2d331f23480e5072de144004a4816a5786f65b

SHA512
5c1197ef8b03fa2e9f1b34ed6de0bc3def6215ff7ce3d92c47fc11dad393f96fc34206659606dffbd853b97453ef93a528b98ce15726fe6d485e9563ede19ebb

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
2.6MB

MD5
8e0c89459037fc21ae30e27b882c348b

SHA1
2130bbf708b972949b5aeaeff54824c25044ac88

SHA256
b2990482d9ab127c26d461dee191c1582b5d470293a5c8c4bfa70eb03eb4a414

SHA512
7dc0dc181a6a162bde42c57bdf39bd64398e9e7074c7a9c839ad22ddf91302689795344d744344f8483f2def8d80e78a0d5904303f225b0ab1ad43fa62e1253c

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
2.2MB

MD5
9361f88dc9493f8bd4af17f84094d1ad

SHA1
214c3a29b9bece69a1cc23de82b9b379bdcaced2

SHA256
1a993aa1d91835fee0ac07c1c879d175d0296d0857d291d3c0497eceda82f100

SHA512
00902bf7e026baacdbc1b53c8bdab83c323dc6161966fa779b3d20de2301c46a39dff5e97d884c4b63d0ec0a3cfcc10c7d63ad28ef9932f3d6ef9c1453d5c3d6

Download Submit
memory/1056-2-0x0000000000190000-0x0000000000210000-memory.dmp

Filesize
512KB

Download
memory/1056-1-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/1056-0-0x0000000000210000-0x000000000022E000-memory.dmp

Filesize
120KB

Download
memory/1056-30-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-27-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-28-0x0000000000B70000-0x0000000001484000-memory.dmp

Filesize
9.1MB

Download
memory/2540-29-0x000000001BBB0000-0x000000001BC30000-memory.dmp

Filesize
512KB

Download
memory/2540-31-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

Filesize
9.9MB

Download
memory/2540-32-0x000000001BBB0000-0x000000001BC30000-memory.dmp

Filesize
512KB

Download