crimsonrat | 386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef

General

Target

386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef.xls
Size

401KB
MD5

02ba9703d1f250b411ea4c868d17fd2e
SHA1

27d7eab43b66abd73cdc8da304dbb2daa9842df0
SHA256

386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef
SHA512

c2803749c6dd777f02312ee635c12930082343eab4153c3691cf8bcfe8ec0925d134e094bffee2ceb918a58d59176f07b43fb7b0ba8573325a63eefca487f24c
SSDEEP

6144:QxEtjPOtioVjDGUU1qfDlavx+W2QnADP:e

Score

10^/10

crimsonrat rat

Malware Config

Signatures

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Mldhrab\hargardius.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Executes dropped EXE 1 IoCs

Processes:

hargardius.exe

pid process

4620 hargardius.exe

pid	process
4620	hargardius.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4868 EXCEL.EXE

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

EXCEL.EXE

pid	process
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE
4868	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 4868 wrote to memory of 4620	4868	EXCEL.EXE	hargardius.exe
PID 4868 wrote to memory of 4620	4868	EXCEL.EXE	hargardius.exe
PID 4868 wrote to memory of 4620	4868	EXCEL.EXE	hargardius.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868
- C:\ProgramData\Mldhrab\hargardius.exe
  C:\ProgramData\Mldhrab\hargardius.exe
  2⤵
  - Executes dropped EXE
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mldhrab\hargardius.exe

Filesize
9.1MB

MD5
80c092fa7a3558e429c0667cfe1180a1

SHA1
8f430367ad843012f8a0d1901103c8d7546d843d

SHA256
5a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6

SHA512
ce1a67abd9ff7396add8dce6379715cfdb5a6e4d59714584232438f80cfa910bf815e15bf7f47535969d830c8f3ac984fca6c5be6c52a6c2ad05a0ebdfc66863

Download Submit
C:\ProgramData\Mldhrab\hargardius.zip

Filesize
52KB

MD5
2bfd5f0385aa66b2a0cb2a41835a2c64

SHA1
228e5c6771f77734aac0198250539055a2c83dfe

SHA256
1bec9da6aa9e788cade70f6a62076f16ceef9a5b84cec3010bce9117dd9baea6

SHA512
3908cda6ce7dd72a73c89efc27999c4ce361699f08c916eefdb7f98b8739ef23b71c6b4e12f079b080cbcef341143247facb6da6ab10b42f1acb7069f69352d8

Download Submit
memory/4620-93-0x0000000001790000-0x00000000017A0000-memory.dmp

Filesize
64KB

Download
memory/4620-92-0x0000000001790000-0x00000000017A0000-memory.dmp

Filesize
64KB

Download
memory/4620-91-0x0000000001790000-0x00000000017A0000-memory.dmp

Filesize
64KB

Download
memory/4620-90-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4620-75-0x0000000075180000-0x0000000075731000-memory.dmp

Filesize
5.7MB

Download
memory/4620-76-0x0000000001790000-0x00000000017A0000-memory.dmp

Filesize
64KB

Download
memory/4868-9-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-23-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-10-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-12-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-11-0x00007FFA50F20000-0x00007FFA50F30000-memory.dmp

Filesize
64KB

Download
memory/4868-13-0x00007FFA50F20000-0x00007FFA50F30000-memory.dmp

Filesize
64KB

Download
memory/4868-14-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-15-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-17-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-16-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-18-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-19-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-20-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-21-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-22-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-0-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

Filesize
64KB

Download
memory/4868-28-0x000001E7FF270000-0x000001E7FFA70000-memory.dmp

Filesize
8.0MB

Download
memory/4868-30-0x000001E787F00000-0x000001E788100000-memory.dmp

Filesize
2.0MB

Download
memory/4868-8-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-6-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

Filesize
64KB

Download
memory/4868-7-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-3-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

Filesize
64KB

Download
memory/4868-87-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-88-0x000001E7FF270000-0x000001E7FFA70000-memory.dmp

Filesize
8.0MB

Download
memory/4868-89-0x000001E787F00000-0x000001E788100000-memory.dmp

Filesize
2.0MB

Download
memory/4868-5-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-4-0x00007FFA93010000-0x00007FFA93205000-memory.dmp

Filesize
2.0MB

Download
memory/4868-2-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

Filesize
64KB

Download
memory/4868-1-0x00007FFA53090000-0x00007FFA530A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads