Extracted

Extracted

• • Target

    RNSM00404.7z

  • Size

    25.8MB

  • MD5

    844dfc4810bde18e3da4d092cd560d5c

  • SHA1

    2a5725892a4483405c2f26bf8a13cc2a45227f74

  • SHA256

    740156feb78cfac7d5857440644d1f48d92e11dafc19254fe242f1d88c77845e

  • SHA512

    6e92f563364c8d8afb7da868eefa850af85b01cc5b281dc24767d5b663761ea2b7c681c003ffaa84652475a3b9e789286f39de7a98a18aea55ad492ade713f7a

  • SSDEEP

    786432:aFfGfapEu6jExCTmhParsGQMI/ukByRu76G0irc:2f1p+cCEPFGQUZRzG0ig

  Score

  10^/10

  crimsonratgandcrabhawkeye_rebornm00nd3v_loggeragilenetbackdoorcollectioncredential_accessdiscoveryevasioninfostealerkeyloggerpersistenceprivilege_escalationransomwareratspywarestealertrojan

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Crimsonrat family

    crimsonrat

  • GandCrab payload

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab

  • Gandcrab family

    gandcrab

  • HawkEye Reborn

    HawkEye Reborn is an enhanced version of the HawkEye malware kit.

    keyloggertrojanstealerspywarehawkeye_reborn

  • Hawkeye_reborn family

    hawkeye_reborn

  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger

  • M00nd3v_logger family

    m00nd3v_logger

  • Modifies WinLogon for persistence

    persistence

  • UAC bypass

    evasiontrojan

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • M00nD3v Logger payload

    Detects M00nD3v Logger payload in memory.

    infostealer

  • NirSoft MailPassView

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView

    Password recovery tool for various web browsers

  • Renames multiple (1842) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware

  • Modifies Windows Firewall

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager

    Suspicious access to Credentials History.

    credential_accessstealer

  • Deletes itself

  • Drops startup file

  • Executes dropped EXE

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Accesses Microsoft Outlook accounts

    collection

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1