Analysis
-
max time kernel
143s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 12:57
Behavioral task
behavioral1
Sample
CraxsRat 3.9.2.rar
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
CraxsRat 3.9.2.rar
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
CraxsRat 3.9.2.rar
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
CraxsRat 3.9.2.rar
Resource
win11-20240508-en
General
-
Target
CraxsRat 3.9.2.rar
-
Size
335.5MB
-
MD5
ea8c95aec54968aa5358790411e37e6d
-
SHA1
05510fea19888a114801a160ba7771229b2afb71
-
SHA256
e37a2e844d1e25a064d475442d514b020e9950c465beee965df45f4e0f445c60
-
SHA512
1f30339aa05641746c102d5810a21c6633eae3966d3802d4d44090edc3f51cc9b9d917ddcd5688a537a8d714d37f37bc5293fcf15f250de93536576edca17436
-
SSDEEP
6291456:/9vuWlbABKecinWAsHQcwSsMykkRm0yP8SkyykkRm0yP8SkO:/9G4sKo0HvwSvd78Cd78W
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 2700 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 2700 vlc.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
Processes:
vlc.exepid process 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
vlc.exepid process 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe 2700 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vlc.exepid process 2700 vlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 2424 wrote to memory of 2652 2424 cmd.exe rundll32.exe PID 2424 wrote to memory of 2652 2424 cmd.exe rundll32.exe PID 2424 wrote to memory of 2652 2424 cmd.exe rundll32.exe PID 2652 wrote to memory of 2516 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 2516 2652 rundll32.exe rundll32.exe PID 2652 wrote to memory of 2516 2652 rundll32.exe rundll32.exe PID 2516 wrote to memory of 2700 2516 rundll32.exe vlc.exe PID 2516 wrote to memory of 2700 2516 rundll32.exe vlc.exe PID 2516 wrote to memory of 2700 2516 rundll32.exe vlc.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar"1⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\CraxsRat 3.9.2.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2700