crimsonrat | dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrimsonRAT.exe
Size

84KB
MD5

b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1

ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256

dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA512

4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
SSDEEP

1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 3 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Hdlharas\dlrarhsiva.exe	family_crimsonrat
C:\ProgramData\Hdlharas\dlrarhsiva.exe	family_crimsonrat
C:\ProgramData\Hdlharas\dlrarhsiva.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CrimsonRAT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 1 IoCs

Processes:

dlrarhsiva.exe

pid process

4564 dlrarhsiva.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4564	dlrarhsiva.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

CrimsonRAT.exe

description	pid	process	target process
PID 3728 wrote to memory of 4564	3728	CrimsonRAT.exe	dlrarhsiva.exe
PID 3728 wrote to memory of 4564	3728	CrimsonRAT.exe	dlrarhsiva.exe

C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3728
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
3.7MB

MD5
b91a9618cd2833981c4443dbe6cab195

SHA1
9afe3495edaf373b7ee720eb283babcee40af575

SHA256
dc98704876c5d21e6c36f658b4758fe2c71a5471c908c528735c32bae4cf070e

SHA512
8e79b46b32bd0df2e469d011776dd61cfe68b99f7c98c11ce0a53b583ed75374212cf5997551d583a5ee23c3a735c7c45500274fa843c8030af4fc4149fcdb89

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
2.3MB

MD5
9eb261c4586725d20b29d6b9c93d0213

SHA1
a473e8a83a3d3e5080690b74efce153193dd7963

SHA256
8e1da98598355b7038b3fc8bd525a1ad03324e8dc1d2dc84be58d150277cdd86

SHA512
6c58931794cc12949b2a5ac1efcf5124b400ff2a7a2a108d0fba739cf15ae1ed60a58505c8be098cb9488349f91cb780e2e799c59f2c83bf78d64453aca6865d

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
384KB

MD5
534b9391200855b698e894a71e5ba3fa

SHA1
6a05233273305ef5c21a75750214cb808aac983f

SHA256
0df0a7941a95e86b6d6dba9d26a592c16feaf4a80bb6e29ef602acc0fa44f264

SHA512
2bf8264fe254e061f13ebd8d2d174d0121c886a4ccf6e3b815036125a5117a475014200e897896e6627260f2fb4d2dc243814d70ec51e9225db547f744841fdf

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
memory/3728-0-0x000002C531B00000-0x000002C531B1E000-memory.dmp

Filesize
120KB

Download
memory/3728-2-0x000002C5337C0000-0x000002C5337D0000-memory.dmp

Filesize
64KB

Download
memory/3728-1-0x00007FFB846D0000-0x00007FFB85191000-memory.dmp

Filesize
10.8MB

Download
memory/3728-38-0x00007FFB846D0000-0x00007FFB85191000-memory.dmp

Filesize
10.8MB

Download
memory/4564-34-0x0000023D12030000-0x0000023D12944000-memory.dmp

Filesize
9.1MB

Download
memory/4564-35-0x00007FFB846D0000-0x00007FFB85191000-memory.dmp

Filesize
10.8MB

Download
memory/4564-37-0x0000023D2D0D0000-0x0000023D2D0E0000-memory.dmp

Filesize
64KB

Download
memory/4564-39-0x00007FFB846D0000-0x00007FFB85191000-memory.dmp

Filesize
10.8MB

Download
memory/4564-40-0x0000023D2D0D0000-0x0000023D2D0E0000-memory.dmp

Filesize
64KB

Download