Extracted

• • Target

    NoEscape.exe_Virus

  • Size

    226KB

  • MD5

    5d68d9915a83eebed2128edaa7742a83

  • SHA1

    c61c39aeb053225bdbc0c4e4e48c00275b6c36a5

  • SHA256

    55e7d851f6b8ecd03e0ee601e92adb483242102718cec9befd2e4b4076542a71

  • SHA512

    e398b67bb73abfdb7218e631ca6f8d38f3fa520c266cc22232b9dcb376e2b4dd24dfc3d01e2081278aaa03ef1267e1f7b5818e9ed8a33dd249a89203172c2783

  • SSDEEP

    6144:M5aNPNpOL/saqkPV9FemLtcIDSsmw79TvZJT3CqbMrhryf65NRPaCieMjAkvCJvG:M8NPNpOL/saqkPV9FemLtcIDSsmw79Tv

  Score

  10^/10

  crimsonratdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarerattrojan

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Crimsonrat family

    crimsonrat

  • Modifies WinLogon for persistence

    persistence

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • UAC bypass

    evasiontrojan

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Disables RegEdit via registry modification

    evasion

  • Disables Task Manager via registry modification

    evasion

  • Disables use of System Restore points

    evasion

  • Downloads MZ/PE file

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Modifies Windows Firewall

    evasion

  • Executes dropped EXE

  • Impair Defenses: Safe Mode Boot

    defense_evasion

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1