MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8f02b8afe1ae18247c52d2e7272de680c81e7f215c5302d9c0961ff3ad52cb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CrimsonRAT

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	a8f02b8afe1ae18247c52d2e7272de680c81e7f215c5302d9c0961ff3ad52cb9
SHA3-384 hash:	35699abdecf397a7def6c1112912ce2f32bd227950e650ac74ed6f3c9702790dde0b14ef37e40feed3a64d205649fc22
SHA1 hash:	5719997dc90fa7eeb7423a79c4f81fcaa0585b04
MD5 hash:	7bea485c40d977a7210ae3a095dd9357
humanhash:	low-earth-golf-kilo
File name:	igfxmgmt.exe
Download:	download sample
Signature	CrimsonRAT Create hunting rule
File size:	1'308'672 bytes
First seen:	2020-08-19 11:01:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bf5a4aa99e5b160f8521cadd6bfe73b8 (423 x RedLineStealer, 31 x AgentTesla, 12 x DCRat)
ssdeep	24576:5k70Trc6BTTZwg9j3K2ozcd7UvjWFtkyqd3RO53EgNiDIpW4:5kQTA6TZnjlRS2k33k5vxpW4
Threatray	103 similar samples on MalwareBazaar
TLSH	6F55231179D2CA37D1B722318AD1C13CA27E643517AA66C777DE4BFB4B222E1A3351C8
Reporter	abuse_ch
Tags:	CrimsonRAT exe RAT

abuse_ch

Malspam distributing CrimsonRAT:

HELO: essberger.biz
Sending IP: 74.67.26.122
From: Jan Eghøj<janegjoj@essberger.biz>
Subject: Payment
Attachment: Payment.xlsm

CrimsonRAT payload URL:
https://laopermanentmission-jakarta.gov.la/yea/igfxmgmt.exe

CrimsonRAT C2:
45.147.231.70:3489

Intelligence

File Origin

# of uploads :

1

# of downloads :

1'704

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48424/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Sending a custom TCP request

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/437582

Signature

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for sample

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a8f02b8afe1ae18247c52d2e7272de680c81e7f215c5302d9c0961ff3ad52cb9/

Threat name:

Win32.Trojan.Bluteal

Status:

Malicious

First seen:

2020-08-19 11:03:08 UTC

File Type:

PE (Exe)

Extracted files:

1

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vdycxcx6dlqyer6ffuxhe4w6nagidz7scxctalm4bfq76owvfs4q._file

Verdict:

malicious

Similar samples:

1e2773c36054c3392f3e220d4c22cce63f31750c2ee6707198e4d15648f11897

3c90e174ff5097d991e0b99001a4e64e0c9e312df0ec03cee51380148974920e

49cd5a74bbebb0bb147f1bfb1e0ec7e42de79cd137eff2b62386cb3ac5229dab

5dbe7d927fbad788711eb319a3450f00b1f8618b6e2bbe83d2db30276f8e8ff2

6412e50a2a917f37b09730c975d7dbc1ccebc48442196b74d7cf694e19a093c7

95aee7e64808e12f340834e6b49c3541c1e5e0b3a1ff1fcd7eb2591a83b619fb

aaf4ec4fd94e1da7b19a572aa597547d47e3d727e9d23a664996d62b0d3bcc88

bd343b1b5db4f37db72ebf4abba33431c9e28fbb845e847ee1184270c8807204

d5b11657c8bcb70e2f3f041ad8b18e7e1b425f35da31110bcd1ddb4c9d8713b3

e8406edde4743eec38d88fd58f2c79b11d09d76bcd57b757cdf5844ea5bd55e7

+ 93 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200819-v6n18gkemx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Frauhost

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a8f02b8afe1ae18247c52d2e7272de680c81e7f215c5302d9c0961ff3ad52cb9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

xlsm 8d3996209ba2ecdf049096fbe494f5cb082441a864ddef20239954e8e8b8adb3

exe a8f02b8afe1ae18247c52d2e7272de680c81e7f215c5302d9c0961ff3ad52cb9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/435647/

Dropped by

MD5 ac90ac3cf422e675512dc860cdc3526b

Dropped by

SHA256 8d3996209ba2ecdf049096fbe494f5cb082441a864ddef20239954e8e8b8adb3

Delivery method

Distributed via web download

Cape

Cape

https://www.capesandbox.com/analysis/48424/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample