{ "Event": { "analysis": "1", "date": "2026-03-27", "extends_uuid": "", "info": "[Threat Intel] CrySome RAT : An Advanced Persistent .NET Remote Access Trojan", "protected": false, "publish_timestamp": "1775907157", "published": true, "threat_level_id": "3", "timestamp": "1775907157", "uuid": "72ee430b-f884-44be-ae80-a9656a18ed05", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#f9b12b", "local": false, "name": "misp-galaxy:producer=\"Cyfirma\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#e2ba37", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#9c8729", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "relationship_type": "" }, { "colour": "#4985d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#d4fd6f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#c8f8ef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Binary Proxy Execution - T1218\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#ece0df", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Video Capture - T1125\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775012415", "to_ids": false, "type": "link", "uuid": "daf65ddf-4274-47f9-b4d5-52f66083982a", "value": "https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775012415", "to_ids": false, "type": "text", "uuid": "deefe097-140a-4e65-8bcb-9eb22a772865", "value": "CrySome is a sophisticated .NET-based remote access trojan designed for persistent command-and-control operations. It features advanced persistence mechanisms, including recovery partition abuse and offline registry modification, allowing it to survive system resets. The malware incorporates an aggressive defense evasion module, disabling security products and blocking updates. Key capabilities include command execution, file operations, surveillance, credential theft, and hidden virtual desktop control. CrySome's modular architecture and structured packet-based protocol enable a wide range of remote operations. Its emphasis on stealth, resilience, and comprehensive system control makes it a significant threat for long-term covert access to compromised environments." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775012415", "to_ids": false, "type": "text", "uuid": "15c18d55-6ac9-42cf-933b-b1c3bc9e9717", "value": "Name: CrySome RAT : An Advanced Persistent .NET Remote Access Trojan\nAuthor: AlienVault\nAdversary: \nTags: [\"rat\", \".net\", \"stealth\", \"c#\", \"remote access\", \"credential theft\", \"defense evasion\", \"crysome rat\", \"hvnc\", \"persistence\", \"avkiller\"]\nTgtd countries: []\nMlwr families: [\"CrySome RAT\"]\nAttack_ids: [\"T1113\", \"T1037\", \"T1003\", \"T1123\", \"T1543\", \"T1547\", \"T1053\", \"T1106\", \"T1562\", \"T1555\", \"T1036\", \"T1055\", \"T1218\", \"T1021\", \"T1112\", \"T1125\", \"T1090\", \"T1059\", \"T1070\", \"T1057\", \"T1027\", \"T1056\", \"T1134\", \"T1105\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:11/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775902638", "to_ids": true, "type": "sha1", "uuid": "3a5575b8-b792-42c3-819d-34952c62e4c3", "value": "61d065d0afd03bac6a42cb39d48115f66b9fb3ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904607", "to_ids": true, "type": "domain", "uuid": "c24a5e0c-87db-41e9-8278-48482c0cb22e", "value": "crysome.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775898387", "uuid": "8c98fd00-935d-4571-a338-f42b7ff812fc", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775898362", "to_ids": false, "type": "text", "uuid": "fca61be9-18fa-4786-a3fa-54ffc027e426", "value": "CrySome_RAT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775898362", "to_ids": false, "type": "comment", "uuid": "5d9d71d4-5c09-4f5f-b580-a80576a439ff", "value": "Detection of CrySome RAT using SHA256 hashes and C2 domain" }, { "category": "Payload installation", "comment": "Bad yara", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775898387", "to_ids": true, "type": "yara", "uuid": "6adb7cf2-dc08-43c3-b153-84379642f6e3", "value": "import \u201chash\u201d\r\nrule CrySome_RAT\r\n{\r\nmeta:\r\ndescription = \u201cDetection of CrySome RAT using SHA256 hashes and C2 domain\u201d\r\nauthor = \u201cCyfirma Research\u201d\r\ndate = \u201c2026-03-25\u201d\r\nstrings:\r\n$url = \u201ccrysome.net\u201d\r\ncondition:\r\nhash.sha256(0, filesize) == \u201cf30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d\u201d or\r\nhash.sha256(0, filesize) == \u201cfa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3\u201d or\r\n$url\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904628", "uuid": "2fb6161b-4300-4c19-90ab-e3b6f8a9162c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904628", "to_ids": true, "type": "md5", "uuid": "1ee2c0ba-493d-4678-872d-c82b53adbe65", "value": "03898be29fb6c5464b28ae0239713b7b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902636", "to_ids": true, "type": "sha1", "uuid": "520878d4-0394-402b-9b44-3d7e6342edc7", "value": "a89158fe7d762dca8f136498a4120e3597933cab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902636", "to_ids": true, "type": "sha256", "uuid": "fbace414-f1fc-4fb8-86f9-1c05fd3ce034", "value": "f30f32937999abe4fa6e90234773e0528a4b2bd1d6de5323d59ac96cdb58f25d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901737", "to_ids": true, "type": "ssdeep", "uuid": "039eb555-b5e4-4cb9-9b7f-c790a14391f0", "value": "12288:zhoUZeviEqMeV89bROjl/1yJIRHqPuCA6H4pD0ai95WQHlT:GUkn7eWBR5JIRR16zxvWaT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901737", "to_ids": false, "type": "size-in-bytes", "uuid": "494988ae-7b23-45d5-946a-f1321a09c63d", "value": "520704" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901737", "to_ids": true, "type": "vhash", "uuid": "7d2642a8-de4a-4f3a-bce7-13f7106e76f6", "value": "25503675151220c2aaa5db3f97" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901737", "to_ids": true, "type": "filename", "uuid": "2ae2af9a-7f75-465d-8053-7fed38665635", "value": "Crysome.Client.exe" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901737", "to_ids": false, "type": "text", "uuid": "c61414cc-09a9-49ba-bb76-c6011764d2b6", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/Crysome!AMTB\nVT Total Detection:47/72\nFirst Submission:2026-03-20T16:15:21.000000+00:00\nLast Submission:2026-04-06T07:56:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904649", "uuid": "ee4497ae-f469-46a3-af17-64a79fda8f79", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904649", "to_ids": true, "type": "md5", "uuid": "4c599b76-97d9-4bc9-939b-3190bc7dc92b", "value": "d5e2eb1366ac6a691b5aaad8bec11727", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902637", "to_ids": true, "type": "sha1", "uuid": "9c3225ca-aaee-4eea-bf5d-3a9d6e11da0b", "value": "b4070db8f451731ab768a530f6738cc1800a300b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902637", "to_ids": true, "type": "sha256", "uuid": "e63fcfb5-932f-43f5-a176-c194023ef62d", "value": "fa896cc8ce13c69f6306eff2a8698998b48b422784053df6bb078c17fe3f04c3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901758", "to_ids": true, "type": "ssdeep", "uuid": "69f645ff-0d5f-4efc-a2b9-a4496168dabf", "value": "393216:o6ZjMzes/S8ZKgWNLKUkxDIaaleFin28hviA7epdq1rrnqSDr:HZIbStbk0YO28hviA7ebq1rrnqSD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901758", "to_ids": false, "type": "size-in-bytes", "uuid": "b5779ca7-e7c3-4efa-9631-97fc1f3721b6", "value": "17640960" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901758", "to_ids": true, "type": "vhash", "uuid": "5aa28a7e-054c-4f8b-9727-fff76b09bac9", "value": "2170567676655517f01dd9ffca1e71dff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901758", "to_ids": true, "type": "filename", "uuid": "334dfc42-a41d-4cac-84d6-a8b3406b95dc", "value": "Crysome.Server.dll" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901758", "to_ids": false, "type": "text", "uuid": "22a17fee-98a3-4fd0-aa8f-ef2dd73b0c42", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/Vigorf.A\nVT Total Detection:38/72\nFirst Submission:2026-03-20T16:15:49.000000+00:00\nLast Submission:2026-04-02T18:43:20.000000+00:00" } ] } ] } }