General

  • Target

    RAT.zip

  • Size

    3.3MB

  • Sample

    241206-mr79vstkgs

  • MD5

    903beb9c404e734ecb94ff771df81a17

  • SHA1

    a6d771037f370909e1637a683902a8fa2050e900

  • SHA256

    a27ff09ec8cbc4b9bad0679d8922ed1dd22fbf9bcf472ba69c1e413e6785dfa3

  • SHA512

    f4314bbd478c984e2da8cee39d60d78033e643ff9877b4758b8144f85b96c68d026f867d150f79c79bb0ce36b28cd63763e81c36c9cf8ec631d1dd447f094392

  • SSDEEP

    49152:XaoQKZtf5ApLv4s+SelbXdkFgMxf4HuqM+QqKEUCPtppfIN5H3N55ztvhDbcqfpc:9tfeDmhXdckuXqxlPaD3xzt5XVnI

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://149.129.72.37:23456/SNpK

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

    • Target

      RAT/Adwind.exe

    • Size

      5KB

    • MD5

      fe537a3346590c04d81d357e3c4be6e8

    • SHA1

      b1285f1d8618292e17e490857d1bdf0a79104837

    • SHA256

      bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

    • SHA512

      50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

    • SSDEEP

      96:w9fXh7CBF8l1cHRDOjY4YbiPkW7UW1g+dWi9sBSy3HQNm6wx2xC7vz5:GXh78hHRDOU4YWPk2J14i9E3ymBxW+

    Score
    10/10
    • Target

      RAT/CobaltStrike.doc

    • Size

      86KB

    • MD5

      96ff9d4cac8d3a8e73c33fc6bf72f198

    • SHA1

      17d7edf6e496dec4695d686e7d0e422081cd5cbe

    • SHA256

      96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d

    • SHA512

      23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46

    • SSDEEP

      1536:lDZnLvdWcSVUj473eXfb6K3ABfSlH+ArfocK4XEorNColhVDo8NYzyReCxRVZs+x:vDAzVY4zSfb6mABfSleqocKg7Bo8NiCR

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    • Metasploit family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Target

      RAT/CrimsonRAT.exe

    • Size

      84KB

    • MD5

      b6e148ee1a2a3b460dd2a0adbf1dd39c

    • SHA1

      ec0efbe8fd2fa5300164e9e4eded0d40da549c60

    • SHA256

      dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

    • SHA512

      4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

    • SSDEEP

      1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

    Score
    10/10
    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    • Crimsonrat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      RAT/NetWire.doc

    • Size

      7.3MB

    • MD5

      6b23cce75ff84aaa6216e90b6ce6a5f3

    • SHA1

      e6cc0ef23044de9b1f96b67699c55232aea67f7d

    • SHA256

      9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15

    • SHA512

      4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125

    • SSDEEP

      49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Target

      RAT/VanToM-Rat.bat

    • Size

      183KB

    • MD5

      3d4e3f149f3d0cdfe76bf8b235742c97

    • SHA1

      0e0e34b5fd8c15547ca98027e49b1dcf37146d95

    • SHA256

      b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

    • SHA512

      8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

    • SSDEEP

      3072:UurlxKcmWTTt7Zde2vBVQF4EWjFRA229YvepcCBKXnpU:vrlOWFddeAVQF4EWx92iepcCBK3

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks