Extracted

• • Target

    WhatsApp Installer.exe

  • Size

    1.0MB

  • MD5

    32bb05c3b06139948230b5fd353931a7

  • SHA1

    33bf610327ffd3cc9bf54f8ccd14b50b4120d74c

  • SHA256

    6d9ce4c2d887f528e014f86938d9934839d1f75ff074866f0f51c3bf7342af18

  • SHA512

    28fad22a92f9cd26df9af5e60b1ebf2b18c786880334482a6f99fc170c13e1948ba1de00d41068a06e61b381a4d06fdf9972b3ffc2da6aa6b7cd5bcbbdb3d1dc

  • SSDEEP

    12288:qB613t1V9A+Tac0RDffXJjyYp88oNHSy5viczGMwP2FC1Wf3VfXJjyNpoX:UG1k+2DR7BWYp88o44HP9BWNpoX

  Score

  10^/10

  crimsonratbootkitcredential_accessdefense_evasiondiscoverymacromacro_on_actionpersistenceratspywarestealer

  • CrimsonRAT main payload

  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat

  • Crimsonrat family

    crimsonrat

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Downloads MZ/PE file

  • Office macro that triggers on suspicious action

    Office document macro which triggers in special circumstances - often malicious.

    macromacro_on_action

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  behavioral1