Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://vidaramlokm....

windows10-2004-x64

Resubmissions

10/03/2025, 09:25

250310-ldz6naznw6 3

21/02/2025, 05:40

250221-gczraatqex 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://vidaramlokm.fly.storage.tigris.dev/vidramrubim.html

  • Sample

    250221-gczraatqex

Score
10/10
crimsonratbootkitdiscoverymotwpersistencephishingrat

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

    • Target

      https://vidaramlokm.fly.storage.tigris.dev/vidramrubim.html

    Score
    10/10
    crimsonratbootkitdiscoverymotwpersistencephishingrat

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Crimsonrat family

      crimsonrat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Probable phishing domain

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks