MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CrimsonRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e
SHA3-384 hash: 74fdf2ae76cde34204c81b2b08f9092a5c541e884b0b9cac11b2e85ec570bbb5563c1d2f9ac15bf2a9c3988536030b5d
SHA1 hash: a248e866bb2a19979dc5ffb0f5db5e14e8b57620
MD5 hash: aa5d19cb085c0594803a17d0a374cfc2
humanhash: grey-lithium-fifteen-autumn
File name:aa5d19cb085c0594803a17d0a374cfc2.exe
Download: download sample
Signature CrimsonRAT
Create hunting rule
File size:10'469'888 bytes
First seen:2021-05-17 09:50:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'076 x AgentTesla, 20'038 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:z6xi1RVQuL4pDQycZzhwoywaSsqOg/t2ne9hm4rdC:z6IreKmyazqt1mEm4r
Threatray 7 similar samples on MalwareBazaar
TLSH 85B6CE9ED3C4C4A9D45D01B68C269B251C13AEFB8924B50B286BBD1F75B3F43136AD0E
Reporter abuse_ch
Tags:CrimsonRAT exe


Avatar
abuse_ch
CrimsonRAT C2:
173.249.50.57:2642

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
173.249.50.57:2642 https://threatfox.abuse.ch/ioc/43952/

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'098
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa5d19cb085c0594803a17d0a374cfc2.exe
Verdict:
Malicious activity
Analysis date:
2021-05-17 09:53:15 UTC
Tags:
trojan rat crimson
Link:
https://app.any.run/tasks/6454fa6b-10bf-45bc-a828-02346201e10f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/157803/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching a process
Sending a UDP request
Sending a custom TCP request
Result
Threat name:
Crimson
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/783392
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to capture screen (.Net source)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Crimson RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 415788 Sample: Q6zUziLx1Z.exe Startdate: 17/05/2021 Architecture: WINDOWS Score: 72 33 Antivirus / Scanner detection for submitted sample 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected Crimson RAT 2->37 39 2 other signatures 2->39 8 Q6zUziLx1Z.exe 3 7 2->8         started        process3 dnsIp4 29 173.249.50.57, 2642, 49723 CONTABODE Germany 8->29 11 AcroRd32.exe 15 39 8->11         started        process5 process6 13 RdrCEF.exe 65 11->13         started        16 AcroRd32.exe 8 6 11->16         started        dnsIp7 31 192.168.2.1 unknown unknown 13->31 18 RdrCEF.exe 13->18         started        21 RdrCEF.exe 13->21         started        23 RdrCEF.exe 13->23         started        25 2 other processes 13->25 process8 dnsIp9 27 80.0.0.0 NTLGB United Kingdom 18->27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e/
Threat name:
ByteCode-MSIL.Ransomware.Foreign
Create hunting rule
Status:
Malicious
First seen:
2018-11-29 20:58:44 UTC
AV detection:
21 of 48 (43.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=24atro5tnb5kggzv75fk3la77zswtxrclga7fgnyqu54nhapyopa._file
Verdict:
malicious
Similar samples:
47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e
CrimsonRAT
4c8e0459524380a9f00ffc58913f461c3e1d8737dd18252881f09e2d416e4f73
CrimsonRAT
5dcb736bf556729b30654fe97da034c1ccd7471f7587cb82dc33f4aef2248b9c
CrimsonRAT
bbea096ceb3c94454a5b92e5f614f107bd98df0b9d2f7022574256d0614f35c8
CrimsonRAT
be7c3bf33d9e06fdf23da68ab87a8c4cdddba7d2fbcaf4b1a68c443ab0a45288
CrimsonRAT
d0dbca82a9b5aec7e2a2b4bf10ee6f3369bf639551c5eef4143498fee67de67a
CrimsonRAT
fe33ba5d5f49662ce90089b1f64a76887b9e1eadc46b8c0eada007295f387682
CrimsonRAT
Result
Malware family:
crimsonrat
Create hunting rule
Score:
  10/10
Tags:
family:crimsonrat
Link:
https://tria.ge/reports/210517-t56gajpnhs/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
APT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d70138bbb3687aa31b35ff4aadac1ffe6569de225981f299b8853bc69c0fc39e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/157803/

Comments