crimsonrat

Sharing

General

Target

RAT.zip
Size

3.3MB
Sample

241206-mymlqszlbq
MD5

903beb9c404e734ecb94ff771df81a17
SHA1

a6d771037f370909e1637a683902a8fa2050e900
SHA256

a27ff09ec8cbc4b9bad0679d8922ed1dd22fbf9bcf472ba69c1e413e6785dfa3
SHA512

f4314bbd478c984e2da8cee39d60d78033e643ff9877b4758b8144f85b96c68d026f867d150f79c79bb0ce36b28cd63763e81c36c9cf8ec631d1dd447f094392
SSDEEP

49152:XaoQKZtf5ApLv4s+SelbXdkFgMxf4HuqM+QqKEUCPtppfIN5H3N55ztvhDbcqfpc:9tfeDmhXdckuXqxlPaD3xzt5XVnI

Score

10^/10

Malware Config

Extracted

Family

metasploit

Version

windows/download_exec

http://149.129.72.37:23456/SNpK

Attributes

headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

crimsonrat

185.136.161.124

Targets

- Target
  
  RAT/Adwind.exe
- Size
  
  5KB
- MD5
  
  fe537a3346590c04d81d357e3c4be6e8
- SHA1
  
  b1285f1d8618292e17e490857d1bdf0a79104837
- SHA256
  
  bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a
- SHA512
  
  50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce
- SSDEEP
  
  96:w9fXh7CBF8l1cHRDOjY4YbiPkW7UW1g+dWi9sBSy3HQNm6wx2xC7vz5:GXh78hHRDOU4YWPk2J14i9E3ymBxW+
Score

10^/10

qnodeservice trojan
- QNodeService
  Trojan/stealer written in NodeJS and spread via Java downloader.
  trojan qnodeservice
- Qnodeservice family
  qnodeservice
behavioral1 behavioral2
- Target
  
  RAT/CobaltStrike.doc
- Size
  
  86KB
- MD5
  
  96ff9d4cac8d3a8e73c33fc6bf72f198
- SHA1
  
  17d7edf6e496dec4695d686e7d0e422081cd5cbe
- SHA256
  
  96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d
- SHA512
  
  23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46
- SSDEEP
  
  1536:lDZnLvdWcSVUj473eXfb6K3ABfSlH+ArfocK4XEorNColhVDo8NYzyReCxRVZs+x:vDAzVY4zSfb6mABfSleqocKg7Bo8NiCR
Score

10^/10

metasploit backdoor discovery trojan
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- Metasploit family
  metasploit
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
behavioral3 behavioral4
- Target
  
  RAT/CrimsonRAT.exe
- Size
  
  84KB
- MD5
  
  b6e148ee1a2a3b460dd2a0adbf1dd39c
- SHA1
  
  ec0efbe8fd2fa5300164e9e4eded0d40da549c60
- SHA256
  
  dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
- SHA512
  
  4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
- SSDEEP
  
  1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG
Score

10^/10

crimsonrat rat
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral5 behavioral6
- Target
  
  RAT/NetWire.doc
- Size
  
  7.3MB
- MD5
  
  6b23cce75ff84aaa6216e90b6ce6a5f3
- SHA1
  
  e6cc0ef23044de9b1f96b67699c55232aea67f7d
- SHA256
  
  9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15
- SHA512
  
  4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125
- SSDEEP
  
  49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG
Score

10^/10

discovery
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral7 behavioral8
- Target
  
  RAT/VanToM-Rat.bat
- Size
  
  183KB
- MD5
  
  3d4e3f149f3d0cdfe76bf8b235742c97
- SHA1
  
  0e0e34b5fd8c15547ca98027e49b1dcf37146d95
- SHA256
  
  b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a
- SHA512
  
  8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff
- SSDEEP
  
  3072:UurlxKcmWTTt7Zde2vBVQF4EWjFRA229YvepcCBKXnpU:vrlOWFddeAVQF4EWx92iepcCBK3
Score

7^/10

credential_access persistence spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Adds Run key to start application
  persistence
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

QNodeService

Qnodeservice family

MetaSploit

Metasploit family

Process spawned unexpected child process

Blocklisted process makes network request

CrimsonRAT main payload

Crimsonrat family

Checks computer location settings

Executes dropped EXE

Process spawned unexpected child process

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10