crimsonrat

General

Target

Kami Export - Marcus Plummer - AWT Syllabus.pdf
Size

435KB
Sample

250317-yqm33sxvfv
MD5

c376379bcf9f35bb154307200f251fbd
SHA1

f219958a10e2c0c70f00e79256454337153fd170
SHA256

7a1e837726b6dd6d567e3f9ce15154bf2b7784f718ca8c2e979af6ed5a2d2c5d
SHA512

38a7025b9433349c01c738573c5ceacc706a5cac43ab93ddfd0450064441773548cb77a58a222186da4a401378646fabafcf8b49339c13fd344ac882cd6da0bc
SSDEEP

6144:emneU2Kt2F/AmEmRPGS12EbftIoPFEh2YS1FoTpZAF107ieQg3:feU2Kt2FomrPGuXPFEEb1uT3AoQg3

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

- Target
  
  Kami Export - Marcus Plummer - AWT Syllabus.pdf
- Size
  
  435KB
- MD5
  
  c376379bcf9f35bb154307200f251fbd
- SHA1
  
  f219958a10e2c0c70f00e79256454337153fd170
- SHA256
  
  7a1e837726b6dd6d567e3f9ce15154bf2b7784f718ca8c2e979af6ed5a2d2c5d
- SHA512
  
  38a7025b9433349c01c738573c5ceacc706a5cac43ab93ddfd0450064441773548cb77a58a222186da4a401378646fabafcf8b49339c13fd344ac882cd6da0bc
- SSDEEP
  
  6144:emneU2Kt2F/AmEmRPGS12EbftIoPFEh2YS1FoTpZAF107ieQg3:feU2Kt2FomrPGuXPFEEb1uT3AoQg3
Score

10^/10

discovery crimsonrat remcos revengerat warzonerat guest host defense_evasion infostealer persistence privilege_escalation rat rezer0 stealer trojan
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- Crimsonrat family
  crimsonrat
- Modifies WinLogon for persistence
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- UAC bypass
  defense_evasion trojan
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- RevengeRat Executable
  stealer
- Warzone RAT payload
  rat
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2