Edit tour

Windows Analysis Report
mrndzgmniU.exe

Overview

General Information

Sample Name:	mrndzgmniU.exe
Analysis ID:	734377
MD5:	543e6753b0fcdb5099ff718337f460ca
SHA1:	561c10c491fc7823b99bf5102d878a3f15e6a90c
SHA256:	ca74472613129855bd7fc79c4a245a2f27de85086cfd191506f1c9906b9ae460
Infos:

Detection

Crimson

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Crimson RAT

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Contains functionality to capture screen (.Net source)

Connects to many ports of the same IP (likely port scanning)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

May sleep (evasive loops) to hinder dynamic analysis

Detected TCP or UDP traffic on non-standard ports

Internet Provider seen in connection with other malware

Detected potential crypto function

PE / OLE file has an invalid certificate

Potential time zone aware malware

Program does not show much activity (idle)

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w10x64

mrndzgmniU.exe (PID: 5508 cmdline: C:\Users\user\Desktop\mrndzgmniU.exe MD5: 543E6753B0FCDB5099FF718337F460CA)

cleanup

Malware Configuration

Threatname: Crimson

{"C2 url": "157.251.115.215"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mrndzgmniU.exe	JoeSecurity_Crimson_RAT	Yara detected Crimson RAT	Joe Security
mrndzgmniU.exe	MALWARE_Win_CrimsonRAT	Detects CrimsonRAT	ditekSHen	0x99ffd6:$s9: see_scren 0x9a0041:$s11: see_responce 0x9a0ec0:$s11: see_responce 0x9a0edd:$s11: see_responce 0x9a0efa:$s11: see_responce 0x9a0f17:$s11: see_responce 0x9a0f34:$s11: see_responce 0x9a0f51:$s11: see_responce 0x9a0f6e:$s11: see_responce 0x9a0fbe:$s11: see_responce 0x9a0fdb:$s11: see_responce 0x9a0ff8:$s11: see_responce 0x9a1015:$s11: see_responce 0x9a1032:$s11: see_responce 0x9a104f:$s11: see_responce 0x9a106c:$s11: see_responce 0x99ffc2:$s12: pull_data 0x99fc05:$s13: do_process 0x99fbcc:$s14: do_updated 0x9a28b8:$s16: #Runing\|ver# 0x9a2930:$s17: \|fileslog=

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.258647249.00000239DBF90000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Crimson_RAT	Yara detected Crimson RAT	Joe Security
Process Memory Space: mrndzgmniU.exe PID: 5508	JoeSecurity_Crimson_RAT	Yara detected Crimson RAT	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.mrndzgmniU.exe.239db5f0000.0.unpack	JoeSecurity_Crimson_RAT	Yara detected Crimson RAT	Joe Security
0.0.mrndzgmniU.exe.239db5f0000.0.unpack	MALWARE_Win_CrimsonRAT	Detects CrimsonRAT	ditekSHen	0x99ffd6:$s9: see_scren 0x9a0041:$s11: see_responce 0x9a0ec0:$s11: see_responce 0x9a0edd:$s11: see_responce 0x9a0efa:$s11: see_responce 0x9a0f17:$s11: see_responce 0x9a0f34:$s11: see_responce 0x9a0f51:$s11: see_responce 0x9a0f6e:$s11: see_responce 0x9a0fbe:$s11: see_responce 0x9a0fdb:$s11: see_responce 0x9a0ff8:$s11: see_responce 0x9a1015:$s11: see_responce 0x9a1032:$s11: see_responce 0x9a104f:$s11: see_responce 0x9a106c:$s11: see_responce 0x99ffc2:$s12: pull_data 0x99fc05:$s13: do_process 0x99fbcc:$s14: do_updated 0x9a28b8:$s16: #Runing\|ver# 0x9a2930:$s17: \|fileslog=

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mrndzgmniU.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: mrndzgmniU.exe	ReversingLabs: Detection: 88%
Source: mrndzgmniU.exe	Metadefender: Detection: 36%			Perma Link

Machine Learning detection for sample

Source: mrndzgmniU.exe

Joe Sandbox ML: detected

Source: 0.0.mrndzgmniU.exe.239db5f0000.0.unpack

Avira: Label: TR/Spy.Gen

Source: mrndzgmniU.exe

Malware Configuration Extractor: Crimson {"C2 url": "157.251.115.215"}

Source: mrndzgmniU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mrndzgmniU.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: g:\vidhagirea\vidhagirea\obj\Debug\vidhagirea.pdb source: mrndzgmniU.exe

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 164.68.96.32 ports 8169,3,4,3468,6,8

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 157.251.115.215

Source: global traffic

TCP traffic: 192.168.2.3:49698 -> 164.68.96.32:3468

Source: Joe Sandbox View

ASN Name: CONTABODE CONTABODE

Source: unknown	TCP traffic detected without corresponding DNS query: 164.68.96.32
Source: unknown	TCP traffic detected without corresponding DNS query: 164.68.96.32
Source: unknown	TCP traffic detected without corresponding DNS query: 164.68.96.32
Source: unknown	TCP traffic detected without corresponding DNS query: 164.68.96.32
Source: unknown	TCP traffic detected without corresponding DNS query: 164.68.96.32
Source: unknown	TCP traffic detected without corresponding DNS query: 164.68.96.32

Source: mrndzgmniU.exe, 00000000.00000003.266261403.00000239F65E6000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.266282463.00000239F65E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.w
Source: mrndzgmniU.exe, 00000000.00000003.266377793.00000239F65DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://en.wi
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: mrndzgmniU.exe, 00000000.00000003.272214371.00000239F65E3000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.272242930.00000239F65E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.cok
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.278874149.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.279247863.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mrndzgmniU.exe, 00000000.00000003.272153618.00000239F65E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: mrndzgmniU.exe, 00000000.00000002.529734584.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.279694125.00000239F65BA000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.278874149.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.279485557.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.279247863.00000239F65BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersa9
Source: mrndzgmniU.exe, 00000000.00000002.529601682.00000239F65A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com9
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: mrndzgmniU.exe, 00000000.00000003.270768085.00000239F65ED000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.270688558.00000239F65ED000.00000004.00000020.00020000.00000000.sdmp, mrndzgmniU.exe, 00000000.00000003.270861576.00000239F65ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDn
Source: mrndzgmniU.exe, 00000000.00000002.530027423.00000239F7832000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mrndzgmniU.exe	String found in binary or memory: https://www.sysinternals.com0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture screen (.Net source)

Source: mrndzgmniU.exe, vidhagirea/SCPRNS.cs

.Net Code: vidhagireascreen

E-Banking Fraud

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
mrndzgmniU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Crimson

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mrndzgmniU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Crimson

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Windows Analysis Report
mrndzgmniU.exe