Extracted

• • Target

    RNSM00443.7z

  • Size

    98.7MB

  • MD5

    ffd83cd295f7cbc6d53e04355002f1f7

  • SHA1

    10537b6b3ab6ea409ce1b4051e947f3b78d33f68

  • SHA256

    720447db58834d8082eefc2f5b97e7567a6c6c6337c2e40300894fe8a467b671

  • SHA512

    be26c60d2ce2cf987ff33d1645a82220903edc986e9acef4add8d676d39e4083f2e6e7af0797639e2a4910dd43313b987beb15b8cc9c9cbd5f49cc2696f1d614

  • SSDEEP

    1572864:BLWlEuS5AE1Iq4FF3FJzDHuIHOp0+jMPEVDlxbQsApL/PtqclAT93WV5ajmYMHcj:BSqfAnq4FrBRH+jZVf05/lqGeQimPcj3

  Score

  10^/10

  crimsonratmafiaware666vanillaratdiscoveryevasionpersistenceransomwarerat

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Detect MafiaWare666 ransomware

  • MafiaWare666 Ransomware

    MafiaWare666 is ransomware written in C# with multiple variants.

    ransomwaremafiaware666

  • Modifies WinLogon for persistence

    persistence

  • VanillaRat

    VanillaRat is an advanced remote administration tool coded in C#.

    ratvanillarat

  • Renames multiple (85) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Vanilla Rat payload

    rat

  • Disables Task Manager via registry modification

    evasion

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Legitimate hosting services abused for malware hosting/C2

  • Sets desktop wallpaper using registry

    ransomware

  • Suspicious use of SetThreadContext

  behavioral1