Home
Threat Intelligence Posts

Phishing email attachments deliver Crimson RAT

With a malicious intent to attack financial institutions, attackers deliver Crimson RAT via email attachments and links shared through phishing emails.
Updated on
February 27, 2023
Published on
April 8, 2020
Read time
5
Subscribe to the latest industry news, technologies and resources.

The Carrier

  • Two separate spear-phishing email campaigns deliver Crimson RAT through an attachment and a link.
  • The link sent through mail contains a malicious PE (executable) file. It has two ZIP files and a DOC file embedded in the resource section.
  • The attachment sent along with the email has an embedded malicious macro

The Malware

  • On execution, based on the OS version, the malicious attachments drop a 32-bit or 64-bit version of payload stored in the resources.
  • The ZIP payload is dropped and executed to deliver the RAT.
  • Once the RAT is executed, it loads a clean CV DOC file and then executes it.

The Risk

  • Crimson RAT exfiltrates files and system data, transfers it over non-web channels to its command-and-control (C&C) server.
  • The malware, on its own, is also capable of capturing the screen of the target device and terminate any or all running processes.
  • It downloads more payloads from its C&C server to steal browser credentials and record keyboard strokes.

Indicators of Compromise

URLs:
  • cloudsbox[.]net/files/sonam karwati.exe
  • cloudsbox[.]net/sonam11
  • cloudsbox[.]net/files/preet.doc
  • 181.215.47[.]169:3368
  • 181.215.47[.]169:6728
  • 181.215.47[.]169:15418
  • 181.215.47[.]169:8822
  • 181.215.47[.]169:13618
FIle HASHES:
  • 1BBAB11B9548C5E724217E506EAB2056 (sonam karwati.exe)
  • 66DA058E5FE7C814620E8AF54D6ADB96 (brwmarivas7.zip)
  • D62156FA2C5BFFDC63F0975C5482EAB6 (brwmarivas7.exe)
  • 63BA59C20E141E635587F550B46C02CD (brwmarivas8.zip)
  • 88309987F49955F88CCF4F92CFBA6CD7 (brwmarivas8.exe)
  • 5BF97A6CB64AE6FD48D6C5D849BE8983 (rihndimrva.doc)
  • CBFAE579A25DF1E2FE0E02934EFD65DC (sonam.doc)
  • 3952EBEDF24716728B7355B8BE8E71B6 (preet.doc)

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.