MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CrimsonRAT

Vendor detections: 8

Intelligence 8 IOCs 1 YARA 4 File information Comments

SHA256 hash:	a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a
SHA3-384 hash:	9564017b17ef6346de4c2708ec6777025b41961b0730e444909ad428afdda84474a30e561475e90f9b1bb929d4a5b5a1
SHA1 hash:	a6bfe60170efd697ccca1e2e2dd7c6990e0bb90e
MD5 hash:	529ba5d2c599a72bb56a4b66214af1ae
humanhash:	jig-mike-mars-freddie
File name:	529BA5D2C599A72BB56A4B66214AF1AE.exe
Download:	download sample
Signature	CrimsonRAT Create hunting rule
File size:	10'938'880 bytes
First seen:	2021-06-16 19:16:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'070 x AgentTesla, 20'024 x Formbook, 12'352 x SnakeKeylogger)
ssdeep	768:XnzHfh5s5+uBsI07a24msgjtQoIYlHqqlYcGYF2X3w2vf0DDe5MFgkaj7QUAc8Fc:Xrff4biIYlbaYFIHX0DSeFXan
Threatray	17 similar samples on MalwareBazaar
TLSH	FEB602E8F7384120C86B5A374680A375D065FCE6042149A7BEB4B9BD3C56BD4F8172BB
Reporter	abuse_ch
Tags:	CrimsonRAT exe

abuse_ch

CrimsonRAT C2:
144.91.79.40:12427

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
144.91.79.40:12427	https://threatfox.abuse.ch/ioc/130941/

Intelligence

File Origin

# of uploads :

# of downloads :

1'094

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

529BA5D2C599A72BB56A4B66214AF1AE.exe

Verdict:

Malicious activity

Analysis date:

2021-06-16 19:17:54 UTC

Tags:

trojan rat crimson

Link:

https://app.any.run/tasks/952a6158-8ce8-49e4-9d53-b8330c101d14

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Spyware.CrimsonRat-9859243-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Malware family:

CrimsonRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6404ba06-7c57-4b4c-a575-3958d679bd67

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/803312

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a/

Threat name:

ByteCode-MSIL.Ransomware.Foreign

Status:

Malicious

First seen:

2021-06-14 17:40:43 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ud3jmocf26xk4muajdngmbmqlh63znwmgbys7uikgqayzlyl2kfa._file

Verdict:

unknown

CrimsonRAT

423ce9320e357189663367f227063aaad82e4d61f35e4566621de49723d710fb

CrimsonRAT

4ee3ccc5e44ba8a78e9555dc582e5cf75427c95a24afba1aaae2f365fd97feef

CrimsonRAT

5f671b1c0644745816b1ccb89f46eb2d7966feedae3d542d1565a7ebf0b6a5e0

CrimsonRAT

8428c5045d1fbd4ae7c0c020024e03ee55ac6c4116b4bd3dbcc4e9bf2580d727

CrimsonRAT

94329df75d76c02854c7c90c2c690293c9d17ad42ca1693cb7adadff87a4279f

CrimsonRAT

ce9d76d3febfe1af8c81e6e9d25a70add6fa49a2ff6f36aaf20be9e0e03d8a16

CrimsonRAT

e51ad389e78c6265cc5bf18f7bc1533052cc247621c27892ea3120339461f8cf

CrimsonRAT

e7038fea8e971069b99dccef6ab0242e2faaa33c6cc6f29afe6c0c37ac2645bb

CrimsonRAT

f7f5b14745f49ef2b4f846d53003caeecdfce9e4540db03febfd36b58cf1e805

CrimsonRAT

+ 7 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/210616-ln4w7rdgds/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Unpacked files

SH256 hash:

a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a

MD5 hash:

529ba5d2c599a72bb56a4b66214af1ae

SHA1 hash:

a6bfe60170efd697ccca1e2e2dd7c6990e0bb90e

Link:

https://www.unpac.me/results/057b62a9-c288-4028-bf42-855369cae644/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0f6963845d7aeae328048da66059059fdbcb6cc30712fd10a34018caf0bd28a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Glasses Create hunting rule
Author:	Seth Hardy
Description:	Glasses family

Rule name:	GlassesCode Create hunting rule
Author:	Seth Hardy
Description:	Glasses code features

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample