analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

CrimsonRat 2.2.7 Private.zip

Full analysis: https://app.any.run/tasks/e019a90f-1b20-4767-aa0d-1a118c83f698
Verdict: Malicious activity
Analysis date: November 16, 2019, 09:25:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B2326F902283F2639F324A5403E6FBEA

SHA1:

28E3ACC154082EBD07F8A3C572C354D6A493BD7A

SHA256:

B99040C2008B78775C46DA7FEAE12D83E6D324FEFB4F6D437BD61DD48D08BFD7

SSDEEP:

98304:lbhEHzKJ9cXIjaKsctNBTYNIS5/goNIHPN7:/ETKJ9cXIjswfEb9IHN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • javaw.exe (PID: 1788)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2964)

  • SUSPICIOUS

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 1788)
      • javaw.exe (PID: 2620)

    • Application launched itself

      • javaw.exe (PID: 1788)
      • javaw.exe (PID: 2620)

    • Executes JAVA applets

      • javaw.exe (PID: 1788)
      • javaw.exe (PID: 2620)

    • Creates files in the user directory

      • javaw.exe (PID: 1788)
      • javaw.exe (PID: 2620)

    • Checks for external IP

      • javaw.exe (PID: 1788)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • javaw.exe (PID: 2620)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 2620)

  • INFO

    • Manual execution by user

      • javaw.exe (PID: 1788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.kmz | Google Earth saved working session (60)
.zip | ZIP compressed archive (40)

EXIF

ZIP

ZipFileName: CrimsonRat 2.2.7 Private/
ZipUncompressedSize: -
ZipCompressedSize: 2
ZipCRC: 0x00000000
ZipModifyDate: 2019:11:16 17:25:09
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs javaw.exe attrib.exe no specs javaw.exe no specs reg.exe attrib.exe no specs attrib.exe no specs javaw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2304"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\CrimsonRat 2.2.7 Private.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1788"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\Desktop\CrimsonRat 2.2.7 Private\CrimsonRAT v2.2.7 Private FULL.jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
2004attrib +h .Ssettings.propertiesC:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2620"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Windows7552542972655710588.png"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exejavaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2964reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v bFnTnqeht7QWEQW /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\AppData\Roaming\mgYMAZRR9oAQWE\9zlMmaTQcHQQQWE.txt\"" /fC:\Windows\system32\reg.exe
javaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2708attrib +s +h +r "C:\Users\admin\AppData\Roaming\mgYMAZRR9oAQWE\*.*"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3892attrib +s +h +r "C:\Users\admin\AppData\Roaming\mgYMAZRR9oAQWE"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1412"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\mgYMAZRR9oAQWE\9zlMmaTQcHQQQWE.txt"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exejavaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
Total events
901
Read events
876
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
0
Text files
12
Unknown types
1

Dropped files

PID
Process
Filename
Type
1788javaw.exeC:\Users\admin\AppData\Local\Temp\Windows7552542972655710588.pngjava
MD5:B6A82DA1CB442D243CE3F9EABDCB633B
SHA256:66877950B693FE783AD3F38E78BD8F5A2BD3294C4E9B7CE4053EDEBBCAEC55D8
2304WinRAR.exeC:\Users\admin\Desktop\CrimsonRat 2.2.7 Private\lib\jcalendarbutton-1.4.5.jarjava
MD5:5FCCDEED0F4F76022F320592A378C561
SHA256:0CE6019B261C00E7D4B383AA257BADA229AEEB80CF62E5B1DEDFE5EAEDBAF4BB
2304WinRAR.exeC:\Users\admin\Desktop\CrimsonRat 2.2.7 Private\lib\JTattoo-1.6.10.jarjava
MD5:F4EF8707F6530320BA2CC03C365653C5
SHA256:F2FBE24D8B4824E7BFD7E512A19D6B5622762D0358BE44194E1AD1B5BAE983E7
1788javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:FDA7C25C48CE2E1C4BF48F2EAB5194CE
SHA256:CA61AA4CF33DED0954DCC73E4A37D6B53D711F7D8F74ACBA6EB79C980A297A4F
2620javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:430620D7F35E9B9D5E36497B0F745C34
SHA256:8BEBBF2B1782CF93CDBEBDE8853150FE22EE88294EC07DB8AB5ECEE7B701A2D8
2620javaw.exeC:\Users\admin\2YmY99xxmY.tmptext
MD5:735D7FBD23C3E4A0B391D5B4C32AC3D5
SHA256:41BDF496942D3A56E0803DA3D81C616E15829FB6141516F77E98E9C49189B623
2304WinRAR.exeC:\Users\admin\Desktop\CrimsonRat 2.2.7 Private\CrimsonRAT v2.2.7 Private FULL.jarjava
MD5:0AD2EB07CB3F0FB8906CAD2B7F789C65
SHA256:CCB38312623813639AD0D36247174177DAED7712BCC22206A85D3DD39C3B064D
2304WinRAR.exeC:\Users\admin\Desktop\CrimsonRat 2.2.7 Private\lib\services.jarjava
MD5:169240C0654FF209205A99A8B890A5B6
SHA256:D51084B74E4776CF761ECBE5B0F9806BD8ACDDF6FCAE926CC97A3E5F8F8C06C5
1412javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:BCE1300341D91663786236B110344C33
SHA256:CBB859D1F1BAB9AACFBA6F8CE36474024D02532BB736E71066758F3F75C63528
1788javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1788
javaw.exe
GET
301
104.26.15.73:80
http://freegeoip.net/xml/Unknown
US
shared
1788
javaw.exe
GET
403
104.26.15.73:80
http://freegeoip.net/shutdown
US
text
1.51 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1788
javaw.exe
104.26.15.73:80
freegeoip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
checkip.amazonaws.csom
unknown
freegeoip.net
  • 104.26.15.73
  • 104.26.14.73
shared
crimsonrat.org
unknown

Threats

Found threats are available for the paid subscriptions
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
CrimsonRat 2.2.7 Private.zip