Crimson RAT

55
Global rank
47
Month rank
51
Week rank
154
IOCs

Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.

Trojan
Type
Pakistan
Origin
1 January, 2016
First seen
4 May, 2023
Last seen
Also known as
SEEDOOR
Scarimson

How to analyze Crimson RAT with ANY.RUN

Trojan
Type
Pakistan
Origin
1 January, 2016
First seen
4 May, 2023
Last seen

IOCs

IP addresses
96.47.234.102
107.175.64.209
198.46.177.73
192.99.241.4
181.215.47.169
151.106.19.218
167.114.138.12
173.249.50.57
173.212.226.184
216.176.190.98
75.119.133.15
62.171.130.47
185.161.208.175
185.136.161.124
154.127.54.168
66.154.113.38
167.160.166.80
167.86.105.43
64.188.25.143
107.150.18.166
Hashes
2a6a8b7f07c3a36850dff4122427a954416e78f0454c7d8e715076ce75e68efd
b4819738a277090405f0b5bbcb31d5dd3115f7026401e5231df727da0443332a
33efd821e2484eda83e99247859286a78c16be9deea18bc1e563ad91cb789ea5
d046e766c9c755c88427a91d0dfcfca5659ade83bfd346315aeebc52c485208e
8f01ae46434e75207d29bc6de069b67c350120a9880cc8e30fefc19471eaac4a
47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e
7afde436f24f7faceb786554857c0fef6ceefebd1be0fcd4e68542e5a2ff0c8e
a5f02bb70acdf335bed9c0fc8439ab3a220027a28c7eb44f459afda0ec7b62eb
9f6ee25ada84e57739fe3e29306bbc45b9df667bd1628e3dd1a0c2891c3deb92
08d80972c62a32d6c40f02091071ab1fe1983c444527fe8c5b9915eee1f9753c
e4fd6452566102631a74d55b5a74b3fc5a2b7431144fb0ecf9f9fe64489a7409
e05d31b46feaa752fda5fc43dffb22bf8be669e6e3aca3ad050e42f1984b0028
00e89eddc18f9bbc93c4c8b204ab3010bbb62a4f237a823e7926c4b1cec1067b
4cc6d57785b80ece1e7734940da39b7bcc22993c83c2fe78794d52aa69c93234
d2c46e066ff7802cecfcb7cf3bab16e63827c326b051dc61452b896a673a6e67
fa0b098f461c7e4e2056e94123ab5909e2d54c9a58d65112fdd663bc5c28aa31
33a4a318e23bad0f912d093855043066ac0dce41fdd08c478a67772dc71260be
04dc459acff73057a3f2abb885b05739057cad48c3cb51a54199c04b0f20972d
6dc0e565498e4f03c75f9d4e7824534e7121eab29b0cae8133f9bacb9ba749d4
09122a8b633ba9d1aa9cc8edaa688ce90681ac2325721afb53ea71c0b68a9c7c
Domains
majul.com
qxq.ddns.net
isns.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
tgservermax.duckdns.org
bjorn111.duckdns.org
gbam1234.duckdns.org
info1.duckdns.org
richa-sharma.ddns.net
tasnimnewstehran.club
katrinakaif.ddns.net
swissaccount.ddns.net
sunnyleone.ddns.net
grammarit.in
acciona.contactofficesupp365.shop
www.contactofficesupp365.shop
elumadns.eluma101.com
eastsidepapi.myq-see.com
lawdvmercy.site
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 307
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5383
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3236
comments 3

What is Crimson RAT?

Crimson is a Remote Access Trojan — it is malware that cybercriminals or threat groups can utilize to gather information from infected systems. The malware is also known under the names SEEDOOR and Scarimson. It can be used to spy on victims, capture screenshots, steal credentials, and more.

Crimson is known to be used particularly by an APT (Advanced Persistent Threat), a cyber gang founded by a state. Therefore, the Crimson RAT is targeted at a very specific group of victims, among whom are Indian Government organizations and the military.

General description of Crimson RAT

Crimson RAT is among malware that utilizes information related to the coronavirus to infect the machines of their victims. The strategy of using a natural disaster to exploit the need for information and the stress of potential victims is not new among cybercriminals. In fact, fake information about SARS and other epidemics is still used for phishing by some cyber-attack schemes.

As such, the Crimson malware authors use a fake health advisory email to trick victims into downloading a malicious document.

After the RAT is downloaded and installed it can perform several malicious functions, most of which are targeted at information gathering. The RAT can record and share running processes on an infected machine with the attackers, take screenshots, and steal information from web-browsers. Also, the malware has the capability to download files into infected systems from a control server.

As we mentioned above, the Crimson RAT is operated by an APT. In particular, APT36, which is thought to be sponsored by Pakistani officials to conduct military espionage. Thus, the victims of the RAT are almost exclusively among Indian officials and military personal. It is believed that retrieved sensitive information that the APT collects is used by Pakistan in military efforts against India.

In fact, APT36 is also commonly known under the name Mythic Leopard, has a history of successful attacks on Indian embassies and military infrastructure that resulted in the stealing of tactical and training information. However, other malware samples have been used in previous attacks.

Crimson RAT malware analysis

A video recorded in the ANY.RUN interactive malware analysis service shows the execution process of Crimson RAT.

crimson_process_graph

Figure 1: Shows the execution process of the Crimson RAT. This Graph was generated by ANY.RUN.

crimson_text_report

Figure 2: Displays a text report that users can create in ANY.RUN. Text reports can be used to demonstrate found information and can be customized to show only necessary data.

Crimson RAT execution process

Crimson RAT execution process is pretty straightforward but it can vary from sample to sample. Often, the malware executable file is located directly inside a malicious document and once the user opens it, the file drops the trojan. In other cases, a maldoc can contain a macro that leverages Powershell to download and start a Crimson executable file. After the trojan starts, it will try to establish a connection with a C2 server and transmit information about the victim's system and the list of running processes on that system.

Crimson RAT malware distribution

Crimson RAT spreads using highly targeted email spam campaigns using the same scenario as Quasar RAT. Spear Phishing techniques that leverage the fear of the Covid-19 pandemic are used to trick victims into downloading a Microsoft Office Excel file, which allegedly contains information related to the outbreak. Once the file is opened, it launches malicious macros or exploits vulnerabilities, such as CVE-2017–0199 for example.

How to detect Crimson RAT

Analysts can detect the Crimson RAT based on file operations. To do so, click on the process in the "Process list" section, and in the appeared "Process details" window click the "More info" button. In the "Event" section switch from "Friendly" to "Raw". After that, enter "Edlacar", "Dhrolas", "Ardscar" or "Dtromera" in the "Filename" field. If operations with a folder with such names are found, be sure — that’s the Crimson RAT in front of you.

Conclusion

Crimson the same as Netwalker is a prime example of a threat actor using a pandemic or other natural disaster to gain leverage over its victims and trick them into installing malware. So far this particular malware has been used almost exclusively in military espionage, but it may very well become more widespread in the future.

Since this is a lesser-known malware, not a lot of samples are available to analyze. Thankfully, ANY.RUN malware hunting service presents an opportunity to study this RAT in an interactive simulation, allowing for quick and simple dynamic analysis in a secure online environment.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy