crimsonrat | 1347eab7618fa7c80e716cb6634f1a2f72a7c51a58afe59b3f57a2e35f957937 | Triage

Submit
Reports

Overview

overview

Static

static

1

belge1.png

windows10-1703-x64

Sharing

General

Target

belge1.png
Size

3.9MB
Sample

240803-k8x44syflp
MD5

bf5ef288a9835e272c3f2a67f7dd76f2
SHA1

b8c2053e414148754b26cc358078aadb366c9a84
SHA256

1347eab7618fa7c80e716cb6634f1a2f72a7c51a58afe59b3f57a2e35f957937
SHA512

4355002506845f9cc68183cd6adf081bdf473dff275014b3586f8ff450a9ae4644f430b9358b55a8f82774494d9c6a0557e8fce857c99f26f1d17bee3a71d913
SSDEEP

98304:6yrA2oNFsjHj9Ym9vEhmEj043Sk4ytSJM366c52HHMQg:Fz8sjH99adr3CYHMQg

Score

10^/10

crimsonrat lumma njrat defense_evasion discovery evasion persistence privilege_escalation rat stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

belge1.png

Resource

win10-20240404-en

crimsonrat lumma njrat defense_evasion discovery evasion persistence privilege_escalation rat stealer trojan

windows10-1703-x64

32 signatures

1200 seconds

Malware Config

Extracted

Family

lumma

C2

https://extorteauhhwigw.shop/api

https://bouncedgowp.shop/api

https://bannngwko.shop/api

https://bargainnykwo.shop/api

https://affecthorsedpo.shop/api

https://radiationnopp.shop/api

https://answerrsdo.shop/api

https://publicitttyps.shop/api

https://benchillppwo.shop/api

Extracted

Family

crimsonrat

C2

185.136.161.124

Extracted

Family

lumma

C2

https://extorteauhhwigw.shop/api

Targets

- Target
  
  belge1.png
- Size
  
  3.9MB
- MD5
  
  bf5ef288a9835e272c3f2a67f7dd76f2
- SHA1
  
  b8c2053e414148754b26cc358078aadb366c9a84
- SHA256
  
  1347eab7618fa7c80e716cb6634f1a2f72a7c51a58afe59b3f57a2e35f957937
- SHA512
  
  4355002506845f9cc68183cd6adf081bdf473dff275014b3586f8ff450a9ae4644f430b9358b55a8f82774494d9c6a0557e8fce857c99f26f1d17bee3a71d913
- SSDEEP
  
  98304:6yrA2oNFsjHj9Ym9vEhmEj043Sk4ytSJM366c52HHMQg:Fz8sjH99adr3CYHMQg
Score

10^/10

crimsonrat lumma njrat defense_evasion discovery evasion persistence privilege_escalation rat stealer trojan
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Downloads MZ/PE file
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

crimsonratlummanjratdefense_evasiondiscoveryevasionpersistenceprivilege_escalationratstealertrojan

© 2018-2024

Terms | Privacy