Crimson Rat

Crimson Rat Description

Trojan.CrimsonRat is a detection name used by cybersecurity vendors in regards to a Remote Access Trojan that is known to run as 'winservice.exe' on compromised systems. The Trojan.CrimsonRat malware is written in the Java programming language, and it is a cross-platform program that supports a Web access panel. Ironically, the payload of the Trojan is seen to arrive on systems as a file named 'securetyscan.exe,' which users may be lead to believe is a recommended security product. Hence, the UAC (User Account Control) prompt that appears during installation is not likely to raise suspicion. The Trojan.CrimsonRat is known to register a background service named 'winservice.exe' and allow a threat actor to modify and delete files on the compromised PC. Additionally, threat actors can use the CrimsonRat Trojan to download and run secondary threats on the infected machines.

The CrimsonRat Trojan is reported of attempting to suppress security alerts from several AV utilities and limit their capabilities. The first wave of attacks facilitated by the CrimsonRat Trojan was registered in Germany, but the 'Command and Control' server configuration revealed the threat actors are likely to be based in Sweden. Trojan.CrimsonRat is recorded to exchange data with the 5.189.167.65 IP address over port 12010, which is used to handle standard TCP/UDP connections. The Trojan.CrimsonRat malware is observed to report the compromised user's OS version, IP address, country of origin, keyboard layout, and a compiled list of installed software. The information may be used as a reference when the CrimsonRat operators decide to take advantage of the compromised device or sell the backdoor access to the PC via markets in the Dark Web. PC users who may have fallen a victim of the CrimsonRat malware may notice missing files, unfamiliar programs running in the background, and their AV scanner being unresponsive. It is best that you run a complete system scan with a reliable anti-spyware scanner that can detect and eliminate Trojan.CrimsonRat securely. AVs support rules designed to block the CrimsonRat from being installed. The alerts related to the CrimsonRat activation might offer the following detection names:

  • RDN/Generic PWS.y
  • Spyware ( 004f5c9a1 )
  • TROJ_GEN.R047C0PHH16
  • Trojan.Generic.17936439
  • Trojan.Generic.D111B037
  • TrojanAPT.MsoGen.J4
  • Trojan[Spy]/Win32.Crimson
  • W32/Crimson.AC!tr
  • Win32.Trojan-spy.Crimson.Edxg
  • a variant of MSIL/Spy.Keylogger.BNM

Technical Information

File System Details

Crimson Rat creates the following file(s):
# File Name Size MD5
1 %APPDATA%\Microsoft\msedefender.exe 76,288 fcb6cb14e07575b91033cbc01915eb2a
2 file.exe 456,704 a1986e69d9581e112c6a51952a27279a
More files

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.