crimsonrat | 97ce63444a82e4301bc6c0ec38ea30452f31b100fa30b8d616bc7eb1bf0a482d | Triage

Sharing

General

Target

Utilla_1.dll
Size

32KB
Sample

240804-fd4aeswglq
MD5

507c8df844d325053a70f909a0e3bcdc
SHA1

9a74b55805e67299ffafe0ea150fd81f11bc6dbc
SHA256

97ce63444a82e4301bc6c0ec38ea30452f31b100fa30b8d616bc7eb1bf0a482d
SHA512

bda872730d77197c8491fd7bb5ac174822972c3e3d5d59120cd2febc6a0368891332dbcd47335e51b33729eb877ddb3b587a3372b3e8263a54a0f520d8779fc0
SSDEEP

768:QOBGC29wjrE58Iu3ZBdrXm8VsB17DeTNxYD:QOBGC26jrE58IuhrXFVsCNxYD

Score

10^/10

crimsonrat modiloader discovery evasion execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

- Target
  
  Utilla_1.dll
- Size
  
  32KB
- MD5
  
  507c8df844d325053a70f909a0e3bcdc
- SHA1
  
  9a74b55805e67299ffafe0ea150fd81f11bc6dbc
- SHA256
  
  97ce63444a82e4301bc6c0ec38ea30452f31b100fa30b8d616bc7eb1bf0a482d
- SHA512
  
  bda872730d77197c8491fd7bb5ac174822972c3e3d5d59120cd2febc6a0368891332dbcd47335e51b33729eb877ddb3b587a3372b3e8263a54a0f520d8779fc0
- SSDEEP
  
  768:QOBGC29wjrE58Iu3ZBdrXm8VsB17DeTNxYD:QOBGC26jrE58IuhrXFVsCNxYD
Score

10^/10

crimsonrat modiloader discovery evasion execution persistence privilege_escalation rat trojan
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- ModiLoader First Stage
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Modifies Windows Firewall
  evasion
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

crimsonratmodiloaderdiscoveryevasionexecutionpersistenceprivilege_escalationrattrojan