crimsonrat | dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrimsonRAT.exe
Size

84KB
MD5

b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1

ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256

dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA512

4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
SSDEEP

1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Hdlharas\dlrarhsiva.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CrimsonRAT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 1 IoCs

Processes:

dlrarhsiva.exe

pid process

3952 dlrarhsiva.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3952	dlrarhsiva.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

CrimsonRAT.exe

description	pid	process	target process
PID 5108 wrote to memory of 3952	5108	CrimsonRAT.exe	dlrarhsiva.exe
PID 5108 wrote to memory of 3952	5108	CrimsonRAT.exe	dlrarhsiva.exe

C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
memory/3952-34-0x0000020C7AE70000-0x0000020C7B784000-memory.dmp

Filesize
9.1MB

Download
memory/3952-35-0x00007FFBCC4E0000-0x00007FFBCCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/3952-36-0x0000020C7BB70000-0x0000020C7BB80000-memory.dmp

Filesize
64KB

Download
memory/3952-39-0x00007FFBCC4E0000-0x00007FFBCCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/3952-40-0x0000020C7BB70000-0x0000020C7BB80000-memory.dmp

Filesize
64KB

Download
memory/5108-0-0x0000014A07770000-0x0000014A0778E000-memory.dmp

Filesize
120KB

Download
memory/5108-2-0x0000014A094E0000-0x0000014A094F0000-memory.dmp

Filesize
64KB

Download
memory/5108-1-0x00007FFBCC4E0000-0x00007FFBCCFA1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-38-0x00007FFBCC4E0000-0x00007FFBCCFA1000-memory.dmp

Filesize
10.8MB

Download