Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
CrimsonRAT.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
CrimsonRAT.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
CrimsonRAT.exe
Resource
win10-20240404-en
Behavioral task
behavioral4
Sample
CrimsonRAT.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
CrimsonRAT.exe
Resource
win11-20240221-en
General
-
Target
CrimsonRAT.exe
-
Size
84KB
-
MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c
-
SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60
-
SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
-
SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
SSDEEP
1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral4/files/0x0007000000023222-25.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe -
Executes dropped EXE 1 IoCs
pid Process 3952 dlrarhsiva.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5108 wrote to memory of 3952 5108 CrimsonRAT.exe 88 PID 5108 wrote to memory of 3952 5108 CrimsonRAT.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:3952
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af