General

  • Target

    The Deads Revenge.zip

  • Size

    103.4MB

  • Sample

    240708-zskams1cjh

  • MD5

    07ca675aa8522462f9fc910b8928ed4c

  • SHA1

    32ba71e5613f12020030d443796420ac62882a97

  • SHA256

    a56f0dad9e24a4d7753de5ea9b5db4bc8e2ecc8b78381f87f31ed13109414e03

  • SHA512

    13a5ffddae459f20de69e93f2a8fa5fcafe9a1cd4e06aa05c1b5456677a71a47eeacd341fbd5056c126056cc2447e39e29618469bebab7885c36bf5b0faac54c

  • SSDEEP

    3145728:6rK45Vxi6potyOWE11Nnvx2W7ej6GDeAzjBOPCTn:6rZniz8OrDvx17S6YeAzjBOPCj

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

    • Target

      The Deads Revenge.exe

    • Size

      104.1MB

    • MD5

      53cef85542a906baaaecd4ba69b36a88

    • SHA1

      ac3794aedb39edde36deb359b2f3dfd3519c55db

    • SHA256

      62cb74ffaa717c197cff301a177b079ab863720cb5c86d7d0bc5edb480026930

    • SHA512

      b119b67cf9ef76f24d58ca64016df448e611fa78ff60f90977acc4b7798e119c2bb2304037560bb2fef7369de3e0e2e68b8fc8a138fe3afcd841ccaf428c97af

    • SSDEEP

      3145728:A6gYRPSC++6y9Jk7pLX5M3gbcKC9/nX3SEv2x6:xxaC4y9eVLE2C9/HSEv2

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks