crimsonrat | a2706ced712d733502af5ba0f15945a7c9744aa2fb1d9d98cc7aa3c128c5b523 | Triage

Submit
Reports

Overview

overview

Static

static

1

The-MALWARE-Repo

windows7-x64

6

The-MALWARE-Repo

windows10-2004-x64

Resubmissions

27-10-2024 06:37

241027-hdl29asnap 10

27-10-2024 06:34

241027-hbv75ssrav 8

Sharing

General

Target

The-MALWARE-Repo
Size

298KB
Sample

241027-hdl29asnap
MD5

07c71f38ba70d3cd08780578f673366b
SHA1

91920288a31959a00ba02ee68dbe64c874203e01
SHA256

a2706ced712d733502af5ba0f15945a7c9744aa2fb1d9d98cc7aa3c128c5b523
SHA512

56b93f6a9f77f715bca4b4fa07bfde2adf7440d8b01b8048bf1eb7cb6b446e15d0b4eaa9299dd001e3ea33d4c9fd30761334aebbccd9eb55528eeb50297b3cf6
SSDEEP

6144:yLouSpOL/saqkPV9FemLtcsDSsmwF9VvZJT3CqbMrhryf65NRPaCieMjAkvCJv1N:AouSpOL/saqkPV9FemLtcsDSsmwF9Vv4

Score

10^/10

crimsonrat agilenet discovery evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

The-MALWARE-Repo

Resource

win7-20241010-en

windows7-x64

8 signatures

150 seconds

Behavioral task

behavioral2

Sample

The-MALWARE-Repo

Resource

win10v2004-20241007-en

crimsonrat agilenet discovery evasion persistence rat trojan

windows10-2004-x64

32 signatures

150 seconds

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

- Target
  
  The-MALWARE-Repo
- Size
  
  298KB
- MD5
  
  07c71f38ba70d3cd08780578f673366b
- SHA1
  
  91920288a31959a00ba02ee68dbe64c874203e01
- SHA256
  
  a2706ced712d733502af5ba0f15945a7c9744aa2fb1d9d98cc7aa3c128c5b523
- SHA512
  
  56b93f6a9f77f715bca4b4fa07bfde2adf7440d8b01b8048bf1eb7cb6b446e15d0b4eaa9299dd001e3ea33d4c9fd30761334aebbccd9eb55528eeb50297b3cf6
- SSDEEP
  
  6144:yLouSpOL/saqkPV9FemLtcsDSsmwF9VvZJT3CqbMrhryf65NRPaCieMjAkvCJv1N:AouSpOL/saqkPV9FemLtcsDSsmwF9Vv4
Score

10^/10

discovery crimsonrat agilenet evasion persistence rat trojan
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- UAC bypass
  evasion trojan
- Downloads MZ/PE file
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

crimsonratagilenetdiscoveryevasionpersistencerattrojan

© 2018-2024

Terms | Privacy