General
-
Target
.
-
Size
146KB
-
Sample
240410-qyzsvacg7w
-
MD5
67fb0746b32fcc4e7f6e18c0844692e1
-
SHA1
3c46abe5da507adc0670f45605a59f0fcba875ce
-
SHA256
8a29361543c5d1c9de3ef492e175490f45cd9642e5db8dd74440dab193015570
-
SHA512
8c8ee62f7acd5c0a29c90b7facfbcef99f9bf4f8cd243c6a2244525a4feab3ee9ff8c0f6c9fccf0ccacff881ae71db00f63cbe02943e8ede8205653a5b20873a
-
SSDEEP
1536:ojkud8LVV0MK4DofxR4DJllCMhYz30vD932es4DsHhqiS:ckPLhApMllrCqeHhqiS
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Extracted
netwire
tamerimia.ug:6975
vbchjfssdfcxbcver.ru:6975
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
AAAAA
-
lock_executable
false
-
mutex
CQbRXVuG
-
offline_keylogger
false
-
password
jhbkdcfgvdfgknl
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
.
-
Size
146KB
-
MD5
67fb0746b32fcc4e7f6e18c0844692e1
-
SHA1
3c46abe5da507adc0670f45605a59f0fcba875ce
-
SHA256
8a29361543c5d1c9de3ef492e175490f45cd9642e5db8dd74440dab193015570
-
SHA512
8c8ee62f7acd5c0a29c90b7facfbcef99f9bf4f8cd243c6a2244525a4feab3ee9ff8c0f6c9fccf0ccacff881ae71db00f63cbe02943e8ede8205653a5b20873a
-
SSDEEP
1536:ojkud8LVV0MK4DofxR4DJllCMhYz30vD932es4DsHhqiS:ckPLhApMllrCqeHhqiS
Score10/10-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence
-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
UAC bypass
-
ModiLoader First Stage
-
RevengeRat Executable
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Installed Components in the registry
-
Sets file execution options in registry
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Sets service image path in registry
-
Uses Session Manager for persistence
Creates Session Manager registry key to run executable early in system boot.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
Uses the VBS compiler for execution
-
Windows security modification
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
6Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
7Registry Run Keys / Startup Folder
6Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
10Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Hide Artifacts
2Hidden Files and Directories
2Scripting
1Pre-OS Boot
1Bootkit
1