MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c70e7a86d9418de014123679e862d1a25097bd8d36ffdf059bdd02780b15d10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CrimsonRAT

Vendor detections: 2

Intelligence 2 IOCs YARA File information Comments

SHA256 hash:	7c70e7a86d9418de014123679e862d1a25097bd8d36ffdf059bdd02780b15d10
SHA3-384 hash:	51f3cf1ec23d7fe71f61565a3872bdbb28951736f9975860935fc20ec387124710e560f6adc8a254eaa4a3f3c6c49302
SHA1 hash:	536243cd977773083991ee4de25e0a5db7b7d2d2
MD5 hash:	af09aad33f978ce8e705534be9446398
humanhash:	london-comet-emma-kansas
File name:	ORDER-78557.xlsm
Download:	download sample
Signature	CrimsonRAT Create hunting rule
File size:	426'589 bytes
First seen:	2020-05-28 06:37:33 UTC
Last seen:	2020-05-28 08:22:44 UTC
File type:	xlsm
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	12288:y49w8fyunGthwu8kxPthZugvq4jzjSGUufjIB:y49b7AhFxPthZnvL3t70
TLSH	3A94232FD258AE9FC6F3DA7E8D4486E7231653C9379079BA685C8888065F13EC071E51
Reporter	abuse_ch
Tags:	CrimsonRAT nVpn RAT xlsm

abuse_ch

Malspam distributing unidentified malware:

HELO: pro152-34.mxout.rediffmailpro.com
Sending IP: 119.252.152.34
From: sarkhej sundek <skj.sil@sundekintl.com>
Subject: INQUIRY FOR NEW ORDER-78557
Attachment: ORDER-78557.xlsm

Unknown RAT payload URL:
http://111.90.149.244/vbs.exe

Unknown RAT C2:
194.5.99.151:56780

Hosted on nVpn:

% Information related to '194.5.99.0 - 194.5.99.255'

% Abuse contact for '194.5.99.0 - 194.5.99.255' is 'abuse@inter-cloud.tech'

inetnum: 194.5.99.0 - 194.5.99.255
netname: Privacy_Online
remarks: ------------------------------------------------------------------------
remarks: This prefix is used by a non-logging VPN service provider.
remarks: We don't log any user activities.
remarks: We don't host anything else on our servers than VPN software (OpenVPN,
remarks: IKEv1 & 2, WireGuard ...).
remarks: Our customers can open up to 8 Ports (TCP & UDP).
remarks: We support the Tor Project: https://www.torproject.org
remarks: Before sending us potential complaints, please read:
remarks: https://www.torservers.net/abuse.html
remarks:
remarks: We are under constant pressure by Spamhaus.
remarks: Spamhaus issues tons of fake SBL listings in order to destroy our service.
remarks: They use fake identities, violate EU laws and hide outside the EU in
remarks: Andorra to avoid legal consequences.
remarks: Please don't trust this organization.
remarks: If you have any questions related to our service, please contact us
remarks: directly via e-mail: support@inter-cloud.tech
remarks:
remarks: Thank you.
remarks: ------------------------------------------------------------------------
admin-c: RA9926-RIPE
tech-c: RA9926-RIPE
org: ORG-NFAS6-RIPE
country: GB
status: ASSIGNED PA
mnt-by: inter-cloud-mnt
created: 2019-07-20T20:42:53Z
last-modified: 2020-03-10T21:28:31Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

1'788

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.VBA.TrojanDownloader.Agent.SVU.980.UNOFFICIAL

Gathering data

Threat name:

Document-Word.Downloader.Sload

Status:

Malicious

First seen:

2020-05-28 07:41:15 UTC

File Type:

Document

Extracted files:

AV detection:

5 of 48 (10.42%)

Threat level:

2/5

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/201109-tfq1fmz3wx/

Behaviour

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Office loads VBA resources, possible macro or embedded object present

Blacklisted process makes network request

Process spawned unexpected child process

Malware Config

Dropper Extraction:

http://111.90.149.244/vbs.exe

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

CrimsonRAT

xlsm 7c70e7a86d9418de014123679e862d1a25097bd8d36ffdf059bdd02780b15d10

(this sample)

AgentTesla

exe cf1e8f2fc2dd05514be3e8f92abf5b266dfb1547cc611dabc0cc4eea5a1b7dfe

URLhaus

https://urlhaus.abuse.ch/url/370352/

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 cf1e8f2fc2dd05514be3e8f92abf5b266dfb1547cc611dabc0cc4eea5a1b7dfe

Dropping

MD5 4277289b0c0654dbc05a67af9ebbcbfd

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample