Extracted

• • Target

    sample

  • Size

    53KB

  • MD5

    0fe5d379ba13ffbe79071ee5050d433f

  • SHA1

    9f6b75eeab43c7545106f7c34dcf451e1544cc32

  • SHA256

    a77b46a19d7c96601d5baa05d9b0091f6eafa696b5871fdfe3d7c61aa9722b3a

  • SHA512

    ade927d4f63d93abd0adc802f224e3d54072394312da0fff493bffe3c377931ca4473372582ee5e616b041612e0e27dd801777b9ec5036811b6283e62ddf71cc

  • SSDEEP

    1536:q69UFuCHuZpMoKHQqWSkjp2EAcSgNRI6ZsnJVrQ5Ya0S6V/9hTl67Q4sclW+CSS/:V9UFuL3MoKHQqWSkjp2EAcSgNRI6Zsnz

  Score

  10^/10

  crimsonratbootkitdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationrattrojanupx

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Crimsonrat family

    crimsonrat

  • Modifies WinLogon for persistence

    persistence

  • Enumerates VirtualBox registry keys

    defense_evasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Looks for VirtualBox Guest Additions in registry

    defense_evasion

  • Downloads MZ/PE file

  • Drops file in Drivers directory

  • Event Triggered Execution: Image File Execution Options Injection

    persistence

  • Looks for VMWare Tools registry key

    defense_evasion

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1