Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Crimson RAT

crimson rat trojan
103
Global rank
107 infographic chevron month
Month rank
85 infographic chevron week
Week rank
0
IOCs

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

Trojan
Type
Pakistan
Origin
1 January, 2016
First seen
13 January, 2025
Last seen
Also known as
SEEDOOR
Scarimson

How to analyze Crimson RAT with ANY.RUN

Trojan
Type
Pakistan
Origin
1 January, 2016
First seen
13 January, 2025
Last seen

IOCs

Last Seen at
30 July, 2024
Malicious activity
59c2e5e0f67781a6339796a931a0b76a07bb665794b2163648f96facff75e503.exe
rat
crimson
29 July, 2024
Malicious activity
26ef4caf641a3ee628539d915b7ff78b.exe
rat
crimson
29 July, 2024
Malicious activity
26ef4caf641a3ee628539d915b7ff78b.exe
rat
crimson
3 April, 2024
Malicious activity
data required Brief about Plans to Launch part 1 .exe
rat
crimson
4 May, 2023
Malicious activity
Book1
macros
macros-on-open
rat
crimson
23 February, 2023
Malicious activity
9b75e3e28f95345937f507b281e2a32a.exe
trojan
rat
crimson
11 January, 2023
Malicious activity
199a63dfaea55bc2a7beeb493bfbc717217479edfc4793597a89ab541c92f4d9.zip
rat
crimson
11 January, 2023
Malicious activity
199a63dfaea55bc2a7beeb493bfbc717217479edfc4793597a89ab541c92f4d9.zip
rat
crimson
8 November, 2022
Malicious activity
5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea
trojan
rat
crimson
26 September, 2022
Malicious activity
laragon.exe
trojan
rat
crimson
TRACK THEM ALL AT
Public Submissions
Last Seen at
30 July, 2024
Malicious activity
59c2e5e0f67781a6339796a931a0b76a07bb665794b2163648f96facff75e503.exe
rat
crimson
29 July, 2024
Malicious activity
26ef4caf641a3ee628539d915b7ff78b.exe
rat
crimson
29 July, 2024
Malicious activity
26ef4caf641a3ee628539d915b7ff78b.exe
rat
crimson
3 April, 2024
Malicious activity
data required Brief about Plans to Launch part 1 .exe
rat
crimson
4 May, 2023
Malicious activity
Book1
macros
macros-on-open
rat
crimson
23 February, 2023
Malicious activity
9b75e3e28f95345937f507b281e2a32a.exe
trojan
rat
crimson
11 January, 2023
Malicious activity
199a63dfaea55bc2a7beeb493bfbc717217479edfc4793597a89ab541c92f4d9.zip
rat
crimson
11 January, 2023
Malicious activity
199a63dfaea55bc2a7beeb493bfbc717217479edfc4793597a89ab541c92f4d9.zip
rat
crimson
8 November, 2022
Malicious activity
5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea
trojan
rat
crimson
26 September, 2022
Malicious activity
laragon.exe
trojan
rat
crimson
TRACK THEM ALL AT
Public Submissions

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4958
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 680
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 557
comments 0

Contents

  • What is Crimson RAT?
  • General description of Crimson RAT
  • Crimson RAT malware analysis
  • Crimson RAT execution process
  • Crimson RAT malware distribution
  • How to detect Crimson RAT
  • Conclusion

Recent blog posts

post image
Malware Trends Overview Report: 2024
watchers 4958
comments 0
post image
YARA Rules: Cyber Threat Detection Tool for M...
watchers 680
comments 0
post image
Threat Intelligence Pivoting: Actionable Insi...
watchers 557
comments 0

What is Crimson RAT?

Crimson is a Remote Access Trojan — it is malware that cybercriminals or threat groups can utilize to gather information from infected systems. The malware is also known under the names SEEDOOR and Scarimson. It can be used to spy on victims, capture screenshots, steal credentials, and more.

Crimson is known to be used particularly by an APT (Advanced Persistent Threat), a cyber gang founded by a state. Therefore, the Crimson RAT is targeted at a very specific group of victims, among whom are Indian Government organizations and the military.

General description of Crimson RAT

Crimson RAT is among malware that utilizes information related to the coronavirus to infect the machines of their victims. The strategy of using a natural disaster to exploit the need for information and the stress of potential victims is not new among cybercriminals. In fact, fake information about SARS and other epidemics is still used for phishing by some cyber-attack schemes.

As such, the Crimson malware authors use a fake health advisory email to trick victims into downloading a malicious document.

After the RAT is downloaded and installed it can perform several malicious functions, most of which are targeted at information gathering. The RAT can record and share running processes on an infected machine with the attackers, take screenshots, and steal information from web-browsers. Also, the malware has the capability to download files into infected systems from a control server.

As we mentioned above, the Crimson RAT is operated by an APT. In particular, APT36, which is thought to be sponsored by Pakistani officials to conduct military espionage. Thus, the victims of the RAT are almost exclusively among Indian officials and military personal. It is believed that retrieved sensitive information that the APT collects is used by Pakistan in military efforts against India.

In fact, APT36 is also commonly known under the name Mythic Leopard, has a history of successful attacks on Indian embassies and military infrastructure that resulted in the stealing of tactical and training information. However, other malware samples have been used in previous attacks.

Crimson RAT malware analysis

A video recorded in the ANY.RUN interactive malware analysis service shows the execution process of Crimson RAT.

crimson_process_graph

Figure 1: Shows the execution process of the Crimson RAT. This Graph was generated by ANY.RUN.

crimson_text_report

Figure 2: Displays a text report that users can create in ANY.RUN. Text reports can be used to demonstrate found information and can be customized to show only necessary data.

Crimson RAT execution process

Crimson RAT execution process is pretty straightforward but it can vary from sample to sample. Often, the malware executable file is located directly inside a malicious document and once the user opens it, the file drops the trojan. In other cases, a maldoc can contain a macro that leverages Powershell to download and start a Crimson executable file. After the trojan starts, it will try to establish a connection with a C2 server and transmit information about the victim's system and the list of running processes on that system.

Crimson RAT malware distribution

Crimson RAT spreads using highly targeted email spam campaigns using the same scenario as Quasar RAT. Spear Phishing techniques that leverage the fear of the Covid-19 pandemic are used to trick victims into downloading a Microsoft Office Excel file, which allegedly contains information related to the outbreak. Once the file is opened, it launches malicious macros or exploits vulnerabilities, such as CVE-2017–0199 for example.

How to detect Crimson RAT

Analysts can detect the Crimson RAT based on file operations. To do so, click on the process in the "Process list" section, and in the appeared "Process details" window click the "More info" button. In the "Event" section switch from "Friendly" to "Raw". After that, enter "Edlacar", "Dhrolas", "Ardscar" or "Dtromera" in the "Filename" field. If operations with a folder with such names are found, be sure — that’s the Crimson RAT in front of you.

Conclusion

Crimson the same as Netwalker is a prime example of a threat actor using a pandemic or other natural disaster to gain leverage over its victims and trick them into installing malware. So far this particular malware has been used almost exclusively in military espionage, but it may very well become more widespread in the future.

Since this is a lesser-known malware, not a lot of samples are available to analyze. Thankfully, ANY.RUN malware hunting service presents an opportunity to study this RAT in an interactive simulation, allowing for quick and simple dynamic analysis in a secure online environment.

HAVE A LOOK AT

Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More