Home
Threat Intelligence Posts
Malware Intelligence

Phishing email attachments deliver Crimson RAT

With a malicious intent to attack financial institutions, attackers deliver Crimson RAT via email attachments and links shared through phishing emails.
Updated on
April 19, 2023
Published on
April 8, 2020
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

The Carrier

  • Two separate spear-phishing email campaigns deliver Crimson RAT through an attachment and a link.
  • The link sent through mail contains a malicious PE (executable) file. It has two ZIP files and a DOC file embedded in the resource section.
  • The attachment sent along with the email has an embedded malicious macro

The Malware

  • On execution, based on the OS version, the malicious attachments drop a 32-bit or 64-bit version of payload stored in the resources.
  • The ZIP payload is dropped and executed to deliver the RAT.
  • Once the RAT is executed, it loads a clean CV DOC file and then executes it.

The Risk

  • Crimson RAT exfiltrates files and system data, transfers it over non-web channels to its command-and-control (C&C) server.
  • The malware, on its own, is also capable of capturing the screen of the target device and terminate any or all running processes.
  • It downloads more payloads from its C&C server to steal browser credentials and record keyboard strokes.

Indicators of Compromise

URLs:
  • cloudsbox[.]net/files/sonam karwati.exe
  • cloudsbox[.]net/sonam11
  • cloudsbox[.]net/files/preet.doc
  • 181.215.47[.]169:3368
  • 181.215.47[.]169:6728
  • 181.215.47[.]169:15418
  • 181.215.47[.]169:8822
  • 181.215.47[.]169:13618
FIle HASHES:
  • 1BBAB11B9548C5E724217E506EAB2056 (sonam karwati.exe)
  • 66DA058E5FE7C814620E8AF54D6ADB96 (brwmarivas7.zip)
  • D62156FA2C5BFFDC63F0975C5482EAB6 (brwmarivas7.exe)
  • 63BA59C20E141E635587F550B46C02CD (brwmarivas8.zip)
  • 88309987F49955F88CCF4F92CFBA6CD7 (brwmarivas8.exe)
  • 5BF97A6CB64AE6FD48D6C5D849BE8983 (rihndimrva.doc)
  • CBFAE579A25DF1E2FE0E02934EFD65DC (sonam.doc)
  • 3952EBEDF24716728B7355B8BE8E71B6 (preet.doc)
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Recent Posts

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action
November 15, 2023
CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks
November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations
Get started
Learn more