Analysis Overview
SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
Threat Level: Known bad
The file CrimsonRAT.exe was found to be: Known bad.
Malicious Activity Summary
CrimsonRAT main payload
CrimsonRat
Crimsonrat family
Checks computer location settings
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-30 16:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-30 16:47
Reported
2024-11-30 16:48
Platform
win10v2004-20241007-en
Max time kernel
33s
Max time network
34s
Command Line
Signatures
CrimsonRAT main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CrimsonRat
Crimsonrat family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Hdlharas\dlrarhsiva.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1152 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe | C:\ProgramData\Hdlharas\dlrarhsiva.exe |
| PID 1152 wrote to memory of 400 | N/A | C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe | C:\ProgramData\Hdlharas\dlrarhsiva.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FR | 185.136.161.124:6128 | tcp |
Files
memory/1152-0-0x00007FFA367A3000-0x00007FFA367A5000-memory.dmp
memory/1152-1-0x0000026198B70000-0x0000026198B8E000-memory.dmp
memory/1152-2-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp
C:\ProgramData\Hdlharas\mdkhm.zip
| MD5 | b635f6f767e485c7e17833411d567712 |
| SHA1 | 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8 |
| SHA256 | 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e |
| SHA512 | 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af |
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | 64261d5f3b07671f15b7f10f2f78da3f |
| SHA1 | d4f978177394024bb4d0e5b6b972a5f72f830181 |
| SHA256 | 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad |
| SHA512 | 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a |
memory/400-34-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp
memory/400-35-0x000002456BD80000-0x000002456C694000-memory.dmp
memory/400-36-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp
memory/1152-38-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp
memory/400-39-0x00007FFA367A0000-0x00007FFA37261000-memory.dmp