General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

  • Sample

    250319-v6r57atjy7

Malware Config

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

    • Target

      https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    • Crimsonrat family

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Modiloader family

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • Revengerat family

    • RevengeRat Executable

    • Disables Task Manager via registry modification

    • Drops startup file

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks