crimsonrat | 0d6e873aa8faee0a896e6ac7679a216585933bc29bdd2c1bc006ce56a6e86818

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RAT/CrimsonRAT.exe
Size

84KB
MD5

b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1

ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256

dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA512

4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
SSDEEP

1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 3 IoCs

Processes:

resource	yara_rule
behavioral8/files/0x000700000002322d-25.dat	family_crimsonrat
behavioral8/files/0x000700000002322d-33.dat	family_crimsonrat
behavioral8/files/0x000700000002322d-32.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CrimsonRAT.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 1 IoCs

Processes:

dlrarhsiva.exe

pid	Process
2248	dlrarhsiva.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

CrimsonRAT.exe

description	pid	Process	procid_target
PID 4312 wrote to memory of 2248	4312	CrimsonRAT.exe	91
PID 4312 wrote to memory of 2248	4312	CrimsonRAT.exe	91

C:\Users\Admin\AppData\Local\Temp\RAT\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\RAT\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
5.0MB

MD5
f9e2871bacf4b64cb90df6208d03a4e4

SHA1
a3e8bfb670d6f14110b2dfdc2a5c474464393f2d

SHA256
eb7b640a61251484b02c59ae6532ca56f48f25d62f74cc02eeacdeca7dc89ab4

SHA512
d78c1a739b25d81a02d28e14418a33dc49aa930d7a1c7c8353246308906b26fa94bb763b27dde904de24f7752ac18ccd57e93d39526b03ace6e49676ab85c027

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
5.5MB

MD5
1e2acf344c450c0bb30e83861a0dc46a

SHA1
4c3c1400c285b09d99464884df087d66c99407e4

SHA256
8a310a7e973f69d368b0d4f680e868c4cf4e9f118480ff9c3afb6d4a30cc3d4f

SHA512
e5e316ea4cf2a2884e948be6ea8523d845a018b99cd4efcbbd44efdca423144ec8aecc08b7f6b585ec8f80a5b56c19ae276921ae0cef186a801350c49efb6172

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
3.8MB

MD5
d2b458d519c28651c3e14454a03c31d0

SHA1
c671a2bed2a14d90a4baaa350eebf1e4504444c7

SHA256
1af10b09203dc1b76d0b6d07d7089f2a4f834d511a3dc4bd7ea478b67b11afae

SHA512
6509eb94624fb51413a6b43179f8b79edba0a49103c1e8089f048798ab5ca2bc6385cb4bb681f23fd612df373950255e490e58ef0788cd37316530bc5d8b9017

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
memory/2248-35-0x000001A857980000-0x000001A858294000-memory.dmp

Filesize
9.1MB

Download
memory/2248-34-0x00007FFE760C0000-0x00007FFE76B81000-memory.dmp

Filesize
10.8MB

Download
memory/2248-38-0x00007FFE760C0000-0x00007FFE76B81000-memory.dmp

Filesize
10.8MB

Download
memory/4312-0-0x0000028897CB0000-0x0000028897CCE000-memory.dmp

Filesize
120KB

Download
memory/4312-1-0x00007FFE760C0000-0x00007FFE76B81000-memory.dmp

Filesize
10.8MB

Download
memory/4312-2-0x00000288B22E0000-0x00000288B22F0000-memory.dmp

Filesize
64KB

Download
memory/4312-37-0x00007FFE760C0000-0x00007FFE76B81000-memory.dmp

Filesize
10.8MB

Download