Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mrndzgmniU.exe

Overview

General Information

Sample Name:mrndzgmniU.exe
Analysis ID:734377
MD5:543e6753b0fcdb5099ff718337f460ca
SHA1:561c10c491fc7823b99bf5102d878a3f15e6a90c
SHA256:ca74472613129855bd7fc79c4a245a2f27de85086cfd191506f1c9906b9ae460
Infos:

Detection

Crimson
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Crimson RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Contains functionality to capture screen (.Net source)
Connects to many ports of the same IP (likely port scanning)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
May sleep (evasive loops) to hinder dynamic analysis
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
PE / OLE file has an invalid certificate
Potential time zone aware malware
Program does not show much activity (idle)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • mrndzgmniU.exe (PID: 5508 cmdline: C:\Users\user\Desktop\mrndzgmniU.exe MD5: 543E6753B0FCDB5099FF718337F460CA)
  • cleanup
{"C2 url": "157.251.115.215"}
SourceRuleDescriptionAuthorStrings
mrndzgmniU.exeJoeSecurity_Crimson_RATYara detected Crimson RATJoe Security
    mrndzgmniU.exeMALWARE_Win_CrimsonRATDetects CrimsonRATditekSHen
    • 0x99ffd6:$s9: see_scren
    • 0x9a0041:$s11: see_responce
    • 0x9a0ec0:$s11: see_responce
    • 0x9a0edd:$s11: see_responce
    • 0x9a0efa:$s11: see_responce
    • 0x9a0f17:$s11: see_responce
    • 0x9a0f34:$s11: see_responce
    • 0x9a0f51:$s11: see_responce
    • 0x9a0f6e:$s11: see_responce
    • 0x9a0fbe:$s11: see_responce
    • 0x9a0fdb:$s11: see_responce
    • 0x9a0ff8:$s11: see_responce
    • 0x9a1015:$s11: see_responce
    • 0x9a1032:$s11: see_responce
    • 0x9a104f:$s11: see_responce
    • 0x9a106c:$s11: see_responce
    • 0x99ffc2:$s12: pull_data
    • 0x99fc05:$s13: do_process
    • 0x99fbcc:$s14: do_updated
    • 0x9a28b8:$s16: #Runing|ver#
    • 0x9a2930:$s17: |fileslog=
    SourceRuleDescriptionAuthorStrings
    00000000.00000000.258647249.00000239DBF90000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Crimson_RATYara detected Crimson RATJoe Security
      Process Memory Space: mrndzgmniU.exe PID: 5508JoeSecurity_Crimson_RATYara detected Crimson RATJoe Security
        SourceRuleDescriptionAuthorStrings
        0.0.mrndzgmniU.exe.239db5f0000.0.unpackJoeSecurity_Crimson_RATYara detected Crimson RATJoe Security
          0.0.mrndzgmniU.exe.239db5f0000.0.unpackMALWARE_Win_CrimsonRATDetects CrimsonRATditekSHen
          • 0x99ffd6:$s9: see_scren
          • 0x9a0041:$s11: see_responce
          • 0x9a0ec0:$s11: see_responce
          • 0x9a0edd:$s11: see_responce
          • 0x9a0efa:$s11: see_responce
          • 0x9a0f17:$s11: see_responce
          • 0x9a0f34:$s11: see_responce
          • 0x9a0f51:$s11: see_responce
          • 0x9a0f6e:$s11: see_responce
          • 0x9a0fbe:$s11: see_responce
          • 0x9a0fdb:$s11: see_responce
          • 0x9a0ff8:$s11: see_responce
          • 0x9a1015:$s11: see_responce
          • 0x9a1032:$s11: see_responce
          • 0x9a104f:$s11: see_responce
          • 0x9a106c:$s11: see_responce
          • 0x99ffc2:$s12: pull_data
          • 0x99fc05:$s13: do_process
          • 0x99fbcc:$s14: do_updated
          • 0x9a28b8:$s16: #Runing|ver#
          • 0x9a2930:$s17: |fileslog=
          No Sigma rule has matched
          No Snort rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: mrndzgmniU.exeAvira: detected
          Source: mrndzgmniU.exeReversingLabs: Detection: 88%
          Source: mrndzgmniU.exeMetadefender: Detection: 36%Perma Link
          Source: mrndzgmniU.exeJoe Sandbox ML: detected
          Source: 0.0.mrndzgmniU.exe.239db5f0000.0.unpackAvira: Label: TR/Spy.Gen
          Source: mrndzgmniU.exeMalware Configuration Extractor: Crimson {"C2 url": "157.251.115.215"}
          Source: mrndzgmniU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: mrndzgmniU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: g:\vidhagirea\vidhagirea\obj\Debug\vidhagirea.pdb source: mrndzgmniU.exe

          Networking

          barindex
          Source: global trafficTCP traffic: 164.68.96.32 ports 8169,3,4,3468,6,8
          Source: Malware configuration extractorIPs: 157.251.115.215
          Source: global trafficTCP traffic: 192.168.2.3:49698 -> 164.68.96.32:3468
          Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
          Source: unknownTCP traffic detected without corresponding DNS query: 164.68.96.32
          Source: unknownTCP traffic detected without corresponding DNS query: 164.68.96.32
          Source: unknownTCP traffic detected without corresponding DNS query: 164.68.96.32
          Source: unknownTCP traffic detected without corresponding DNS query: 164.68.96.32
          Source: unknownTCP traffic detected without corresponding DNS query: 164.68.96.32
          Source: unknownTCP traffic detected without corresponding DNS query: 164.68.96.32
          Source: mrndzgmniU.exe, 00000000.00000003.266261403.00000239F65E6000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.266282463.00000239F65E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
          Source: mrndzgmniU.exe, 00000000.00000003.266377793.00000239F65DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wi
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: mrndzgmniU.exe, 00000000.00000003.272214371.00000239F65E3000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.272242930.00000239F65E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.cok
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.278874149.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.279247863.00000239F65BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: mrndzgmniU.exe, 00000000.00000003.272153618.00000239F65E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: mrndzgmniU.exe, 00000000.00000002.529734584.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.279694125.00000239F65BA000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.278874149.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.279485557.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.279247863.00000239F65BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersa9
          Source: mrndzgmniU.exe, 00000000.00000002.529601682.00000239F65A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com9
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: mrndzgmniU.exe, 00000000.00000003.270768085.00000239F65ED000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.270688558.00000239F65ED000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.270861576.00000239F65ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDn
          Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: mrndzgmniU.exeString found in binary or memory: https://www.sysinternals.com0

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Source: mrndzgmniU.exe, vidhagirea/SCPRNS.cs.Net Code: vidhagireascreen

          E-Banking Fraud

          bar