Overview

overview

10

Static

static

1

.html

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    .

  • Size

    147KB

  • Sample

    240503-vtwb3sbf8t

  • MD5

    5a86190d2432d5a97e5e68a6a1b4c7e2

  • SHA1

    124ebb185402143551cff607e9e8658bd594dfcd

  • SHA256

    9bf38073eddcb98b0ddeb3785326c2624d40592f326ccb7f78757886ec25d573

  • SHA512

    b5c0d15f0476c872e36fe29e21e69fa551fdc4e1140c34aa18b4bd305b6ab1b33621a25a2fab222b79f6af6cc6804eb0c9848f9b4b80d17a52f1f3eccd9cc9ae

  • SSDEEP

    1536:o4kud8LonVJoqYarK4DsYNgRyypRMPuNPV5nPztP4FPfaParP8R4DJ2PWTllU0ru:TkPL6WVMllhAY9HhqiS

Score
10/10
crimsonratrevengeratguestdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Targets

    • Target

      .

    • Size

      147KB

    • MD5

      5a86190d2432d5a97e5e68a6a1b4c7e2

    • SHA1

      124ebb185402143551cff607e9e8658bd594dfcd

    • SHA256

      9bf38073eddcb98b0ddeb3785326c2624d40592f326ccb7f78757886ec25d573

    • SHA512

      b5c0d15f0476c872e36fe29e21e69fa551fdc4e1140c34aa18b4bd305b6ab1b33621a25a2fab222b79f6af6cc6804eb0c9848f9b4b80d17a52f1f3eccd9cc9ae

    • SSDEEP

      1536:o4kud8LonVJoqYarK4DsYNgRyypRMPuNPV5nPztP4FPfaParP8R4DJ2PWTllU0ru:TkPL6WVMllhAY9HhqiS

    Score
    10/10
    crimsonratrevengeratguestdiscoveryratspywarestealertrojan

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

7
T1012

Peripheral Device Discovery

3
T1120

System Information Discovery

6
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks