Overview

overview

10

Static

static

3

CrimsonRAT.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    43s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250218-en
  • resource tags

    arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08/03/2025, 21:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CrimsonRAT.exe

  • Size

    84KB

  • MD5

    b6e148ee1a2a3b460dd2a0adbf1dd39c

  • SHA1

    ec0efbe8fd2fa5300164e9e4eded0d40da549c60

  • SHA256

    dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

  • SHA512

    4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

  • SSDEEP

    1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score
10/10
crimsonratrat

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Crimsonrat family
    crimsonrat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\ProgramData\Hdlharas\dlrarhsiva.exe
      "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
      2⤵
      • Executes dropped EXE
      PID:3412
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3120,i,4634074957638558700,2080510381543222728,262144 --variations-seed-version --mojo-platform-channel-handle=784 /prefetch:14
    1⤵
      PID:2188
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3632
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\EnterRestart.mp4v"
        1⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4548
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MergeConvertTo.docx" /o ""
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1728

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Hdlharas\dlrarhsiva.exe
        Filesize

        9.1MB

        MD5

        64261d5f3b07671f15b7f10f2f78da3f

        SHA1

        d4f978177394024bb4d0e5b6b972a5f72f830181

        SHA256

        87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

        SHA512

        3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

        Download Submit

      • C:\ProgramData\Hdlharas\mdkhm.zip
        Filesize

        56KB

        MD5

        b635f6f767e485c7e17833411d567712

        SHA1

        5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

        SHA256

        6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

        SHA512

        551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
        Filesize

        272B

        MD5

        c3bb4d0f5d176b2d220e53839b53efda

        SHA1

        4ac15e33c57a245ccfe68e81edaa4d029d1c55f3

        SHA256

        4c935ac5c22c203233bf4ebff5822d51c3183176f01473d4eebf97b1478c7e8d

        SHA512

        1ac3b245a11c9885e2861b88894c83860c237f93727744108a3287c391a1353e868ec822895effa0b61a81fee01cdf8122ae36a6e5bc75693d6564fb9ec23a90

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
        Filesize

        16B

        MD5

        d29962abc88624befc0135579ae485ec

        SHA1

        e40a6458296ec6a2427bcb280572d023a9862b31

        SHA256

        a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

        SHA512

        4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

        Download Submit

      • memory/1728-111-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-112-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-52-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-114-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-113-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-58-0x00007FFBD7AB0000-0x00007FFBD7AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-57-0x00007FFBD7AB0000-0x00007FFBD7AC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-56-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-55-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-53-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1728-54-0x00007FFBDA650000-0x00007FFBDA660000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3412-38-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3412-40-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3412-39-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3412-35-0x00000253792E0000-0x0000025379BF4000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/3412-34-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4220-37-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4220-0-0x00007FFBF9313000-0x00007FFBF9315000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4220-2-0x00007FFBF9310000-0x00007FFBF9DD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4220-1-0x000001C459900000-0x000001C45991E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4548-51-0x00007FFBEC880000-0x00007FFBED930000-memory.dmp

        Filesize

        16.7MB

        Download

      • memory/4548-50-0x00007FFBF3890000-0x00007FFBF3B46000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4548-49-0x00007FFBFFF00000-0x00007FFBFFF34000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4548-48-0x00007FF731D30000-0x00007FF731E28000-memory.dmp

        Filesize

        992KB

        Download