crimsonrat | dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba | Triage

Sharing

General

Target

CrimsonRAT.exe
Size

84KB
Sample

250219-selszssrew
MD5

b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1

ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256

dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA512

4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
SSDEEP

1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score

10^/10

crimsonrat bootkit discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

- Target
  
  CrimsonRAT.exe
- Size
  
  84KB
- MD5
  
  b6e148ee1a2a3b460dd2a0adbf1dd39c
- SHA1
  
  ec0efbe8fd2fa5300164e9e4eded0d40da549c60
- SHA256
  
  dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
- SHA512
  
  4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
- SSDEEP
  
  1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG
Score

10^/10

crimsonrat bootkit discovery persistence privilege_escalation rat
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Modifies system executable filetype association
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Pre-OS Boot

Bootkit

Privilege Escalation

Event Triggered Execution

Change Default File Association

Component Object Model Hijacking

Defense Evasion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

crimsonratbootkitdiscoverypersistenceprivilege_escalationrat