General
-
Target
forge-1.21-51.0.33-installer.jar
-
Size
6.0MB
-
Sample
241212-r3lx8axlfv
-
MD5
8c436eda9da0144789bab353d08be245
-
SHA1
5249b3c3ca3d9a2cb8a8d321e3eef67ca64af85f
-
SHA256
e59cbc05af015b2e6c083703a60f931b88e931f14cc9c97c401d4f72fc14e1ec
-
SHA512
9e95606a5ec7070d3c3f92470813909c4333af931d1617610d532f44d15bfcd022dc50098443029bdfbde46705a2af851fa6e3068725032f8e9d00f669326ce4
-
SSDEEP
98304:VewET64fA5dC8hTMfN02yZqbsUwE9gxOvxwIzjX9C27koljF7SRrw7P6Fzr+WvfV:fCcdC8um2yb9E9gxqnzhC275ljtSDFzB
Malware Config
Targets
-
-
Target
forge-1.21-51.0.33-installer.jar
-
Size
6.0MB
-
MD5
8c436eda9da0144789bab353d08be245
-
SHA1
5249b3c3ca3d9a2cb8a8d321e3eef67ca64af85f
-
SHA256
e59cbc05af015b2e6c083703a60f931b88e931f14cc9c97c401d4f72fc14e1ec
-
SHA512
9e95606a5ec7070d3c3f92470813909c4333af931d1617610d532f44d15bfcd022dc50098443029bdfbde46705a2af851fa6e3068725032f8e9d00f669326ce4
-
SSDEEP
98304:VewET64fA5dC8hTMfN02yZqbsUwE9gxOvxwIzjX9C27koljF7SRrw7P6Fzr+WvfV:fCcdC8um2yb9E9gxqnzhC275ljtSDFzB
Score10/10-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Modifies WinLogon for persistence
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3