MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e38c39e302de158d22e8d0ba9cd6cc9368817bc611418a5777d00b90a9341404. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

CrimsonRAT

Vendor detections: 8

Maldoc score: 23

Intelligence 8 IOCs YARA 11 File information Comments

SHA256 hash:	e38c39e302de158d22e8d0ba9cd6cc9368817bc611418a5777d00b90a9341404
SHA3-384 hash:	049b86f4a43bae174729326938b850fe39b4809263a5755b457fcf0b484b81744ab05da465543464f8d07b9bbbef2149
SHA1 hash:	b67712125dce3f8b5d197fcc46aaf627da2fb7eb
MD5 hash:	22ce9042f6f78202c6c346cef1b6e532
humanhash:	washington-quebec-tango-pluto
File name:	5.docm
Download:	download sample
Signature	CrimsonRAT Create hunting rule
File size:	4'779'017 bytes
First seen:	2023-10-09 09:11:12 UTC
Last seen:	Never
File type:	docm
MIME type:	application/octet-stream
ssdeep	98304:JWnSXYZsDL1nxNUQfbqKh1nshu8JOH0sLbl9t0/ZwiwrYSMlGortsUDIS7JuLYsa:0niUs39sQeK8uY+Jl9MZwdrDMlGorts2
TLSH	T1382633B49DFED2B0B33D01F6D5FA5B12B14809A4CEAAD4A777D913F4848680EE2161D3
TrID	53.0% (.DOCM) Word Microsoft Office Open XML Format document (with Macro) (52000/1/9) 23.9% (.DOCX) Word Microsoft Office Open XML Format document (23500/1/4) 17.8% (.ZIP) Open Packaging Conventions container (17500/1/4) 4.0% (.ZIP) ZIP compressed archive (4000/1) 1.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter	smica83
Tags:	apt CrimsonRAT docm TransparentTribe

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 23

OLE dump

MalwareBazaar was able to identify 11 sections in this file using oledump:

Section ID	Section size	Section name
A1	493 bytes	PROJECT
A2	71 bytes	PROJECTwm
A3	1052 bytes	VBA/NewMacros
A4	5502 bytes	VBA/ThisDocument
A5	3591 bytes	VBA/_VBA_PROJECT
A6	1088 bytes	VBA/__SRP_0
A7	70 bytes	VBA/__SRP_1
A8	84 bytes	VBA/__SRP_2
A9	103 bytes	VBA/__SRP_3
A10	578 bytes	VBA/dir

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Document_New	Runs when a new Word document is created
AutoExec	Document_Open	Runs when the Word or Publisher document is opened
AutoExec	Document_ContentCont	Runs when the file is opened and ActiveX objects trigger events
Suspicious	Environ	May read system environment variables
Suspicious	Open	May open a file
Suspicious	CopyFile	May copy a file
Suspicious	CopyHere	May copy a file
Suspicious	Shell	May run an executable file or a system command
Suspicious	vbNormalNoFocus	May run an executable file or a system command
Suspicious	MkDir	May create a directory
Suspicious	CreateObject	May create an OLE object
Suspicious	Shell.Application	May run an application (if combined with CreateObject)
Suspicious	System	May run an executable file or a system command on a Mac (if combined with libc.dylib)

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.200225.UNOFFICIAL

TwinWave.EvilDoc.DOCXSTRGOOD..EXE.211019.UNOFFICIAL

TwinWave.EvilDoc.JasonIdontKnowWhatYourChasin.20220714.UNOFFICIAL

Sanesecurity.Badmacro.Xls.Objs.UNOFFICIAL

TwinWave.EvilDoc.MacroSheetsManInTheMirror.20201124.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive macros macros-on-open masquerade phishing

Link:

https://www.filescan.io/uploads/6523c3e41e07d7e1e9ba64d7/reports/b4a8315f-51e1-42fe-bf73-3e54eca421c0/overview

Verdict:

Malicious

Labled as:

Trojan.Generic.34206153;VB:Trojan.Valyria

Link:

https://www.hybrid-analysis.com/sample/e38c39e302de158d22e8d0ba9cd6cc9368817bc611418a5777d00b90a9341404

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/e38c39e302de158d22e8d0ba9cd6cc9368817bc611418a5777d00b90a9341404

Result

Threat name:

Crimson

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1322305

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Connects to many ports of the same IP (likely port scanning)

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro which might access itself as a file (possible anti-VM)

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains VBA stomped code (only p-code) potentially bypassing AV detection

Document exploit detected (drops PE files)

Document exploit detected (process start blacklist hit)

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office process drops PE file

Yara detected Crimson RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e38c39e302de158d22e8d0ba9cd6cc9368817bc611418a5777d00b90a9341404/

Threat name:

Win32.Trojan.Valyria

Status:

Malicious

First seen:

2023-10-03 11:04:41 UTC

File Type:

Document

Extracted files:

131

AV detection:

17 of 36 (47.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4ogdtyyc3yky2ixi2c5jzvwmsnuic66gcfayuv3x2afzbkjucqca._file

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e38c39e302de/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e38c39e302de158d22e8d0ba9cd6cc9368817bc611418a5777d00b90a9341404

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	office_document_vba Create hunting rule
Author:	Jean-Philippe Teissier / @Jipe_
Description:	Office document with embedded VBA
Reference:	https://github.com/jipegit/

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_no_import_table Create hunting rule
Author:	qux
Description:	Detects exe does not have import table

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample