·5 min read·Blog

Crimson RAT: An Analysis of RingBell.exe

SS
Shailendra Singh Sachan

Security Researcher

Image

What is Crimson RAT?

Crimson RAT is a Remote Access Trojan (RAT) that has been in active use for several years, consistently linked to the threat actor known as Transparent Tribe (also tracked as APT36). Crimson RAT is purpose-built for cyber-espionage; designed to silently infiltrate victim systems, establish persistent access, and exfiltrate sensitive information under the operator's command.

In this analysis, we examined a specific sample, named RingBell.exe, which is executed in a controlled virtual environment. The goal is to understand exactly what this malware does from the moment it lands on a system to when it reaches out to its command-and-control (C2) infrastructure, and to extract every possible indicator that defenders can use to detect or block it.

This sample is attributed to APT36 (Transparent Tribe), a well-resourced nation-state threat actor with a documented history of targeting Indian government, defence, and education institutions.

Threat Actor Profile

Transparent Tribe is one of the most consistently active South Asia-focused threat groups. The group operates with a primary intelligence-gathering mandate, targeting organisations tied to the Indian government, military, and academic institutions. Unlike financially motivated criminal groups, their objective is strategic: stealing sensitive communications, defence intelligence, and operational data.

The group is tracked under an unusually large number of aliases across the security industry:

  • APT36
  • Transparent Tribe
  • COPPER FIELDSTONE
  • Mythic Leopard
  • ProjectM
  • Earth Karkaddan
  • Operation C-Major
  • Green Havildar
  • Storm-0156
  • TMP.Lapis
  • APT-C-56

The group's geographic focus is firmly on India and South Asian nations. Their primary targets include Indian defence and government organisations, Indian educational institutions, and law enforcement bodies, notably the Jammu & Kashmir Police. Their motivation is unambiguously espionage rather than financial gain, and they rely heavily on spear-phishing campaigns with malicious attachments as the initial access vector.

Static File Analysis

Examining the file's structure, metadata, imports, and embedded strings without executing anything.

Image

Note: An entropy of 6.072 is in the moderate range. Values above 7.0–7.5 typically indicate packing or encryption. Also,when submitted to VirusTotal, the sample scored a detection rate of 52 out of 66 antivirus engines, an exceptionally high detection rate that confirms this is a well-known malware family.

Image

EXE file static Info

Image

DLLs/Libraries used by the malicious EXE

As per static analysis, this sample imports two libraries: mscoree.dll [Microsoft .NET Runtime Execution Engine] and user32.dll [Multi-User Windows USER API Client Library]. The reliance on mscoree.dll confirms this is a managed .NET application. The presence of user32.dll (imported via P/Invoke) suggests the malware makes direct calls to Windows USER API functions for interacting with the operating system, consistent with reading system information, managing windows, or interacting with the desktop environment.

Image

Suspicious Windows strings (Classes & Functions) used by the malicious EXE

The malware can load data into memory, check what processes are running, write files to disk, create directories, and execute payloads.

Behavioral Analysis

Process Activity

Image

EXE Execution Logs

Image

Malicious EXE executed and Changes in Processes & Registry Monitored

Image

Process Tree



Registry Activity

There were many activities related to the registry after executing the malware.

Image

Log File

Image

Registry Changes Captured

Image

RUN Registry Modification

Image

Ringbell.exe added to Startup Apps

Windows Startup settings independently confirmed "RingBell" was listed as a High Impact startup application, meaning Windows itself flagged it as significantly resource-consuming.



Network Activity

FakeNet-NG simulated internet connectivity inside the sandbox and captured all outbound network behaviour.

Image

Network Activity Logs

Image

Indicators of Compromise

Below are the IOCs for the malware detonated in the virtual environment. Network-Based IOCs

161.97.176.42:10019
swissaccount.ddns.net
192.0.2.123:10019
swissaccount.ddns.net
131.107.255.255
dns.msftncsi.com

File-Based IOCs

MD5: A59C328D69FD858D116067159B0CFBF2
SHA1: 12AC5CF88335E14C483F05595D85415AD0A16277
SHA-256: 8B786784C172C6F8B241B1286A2054294E8DC2C167D9B4DAAE0E310A1D923BA0

Registry IOC HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RingBell

MITRE ATT&CK Mapping

Below is the MITRE ATT&CK Mapping for the malware detonated in the virtual environment.

Image

Detection Opportunities

Detection opportunities for the malware detonated in the virtual environment.

  • Detect repeated queries or writes against HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run from the suspicious execution chain.
  • Monitor for suspicious child processes for the parent process (explorer.exe)
  • Detect for execution of unsigned executables and scripts from user-writable paths such as Desktop, Temp, AppData, and Downloads.
  • Detect and investigate traffic to the Dynamic DNS (DynDNS) domains, such as"swissaccount.ddns.net" in this case.

Conclusion

The analysis of RingBell.exe (CrimsonRAT) confirms it to be a malicious remote access trojan, consistent across both static and dynamic examination. By observing the sample in action, after execution, RingBell.exe performed environment reconnaissance, gathering the computer name and language settings, likely to fingerprint the victim machine. It then established persistence by modifying an autorun registry key, ensuring it would automatically relaunch on every system restart, a deliberate effort to maintain long-term access to the compromised host rather than achieve a one-time objective. Most significantly, the sample initiated a DNS query to a Dynamic DNS domain, a strong behavioral indicator of command-and-control communication, as DynDNS services are frequently abused to give malware a stable-looking hostname while allowing operators to relocate the actual C2 infrastructure at will. The tooling, behavior, and code characteristics observed align closely with previously documented activity attributed to Transparent Tribe (APT36), a threat actor with an extensive operational history of targeting government, defence, and education sector entities across India and South Asia.

Related articles

Fileless Malware and Process-Based Attacks Analysis

Fileless malware is one of the most dangerous and evasive attack techniques. Unlike traditional malware, it leaves no files on disk; instead, it hides inside the system's own trusted processes and tools, making it nearly invisible to conventional security software. In this article, we break down how fileless and process-based attacks work, how attackers use built-in Windows utilities like PowerShell and WMI to execute malicious code entirely in memory, and what defenders need to do to detect and stop them before it's too late.

ATT&CKv19: Changes in MITRE ATT&CK® Framework

MITRE ATT&CK v19.1 introduces significant updates across the Enterprise, Mobile, and ICS domains, enhancing the framework’s ability to model modern adversary behavior. Key changes include the introduction of the new Defense Impairment tactic, the renaming of Defense Evasion to Stealth, expanded threat intelligence coverage with new threat groups, software, and campaigns, and the addition of ICS sub-techniques for greater analytical granularity. This article explores the major differences between ATT&CK v18.1 and v19.1, highlighting the impact of these changes on threat intelligence, detection engineering, and cybersecurity operations.

APT 36 aka Transparent Tribe: Evolution & TTP Analysis

Threat Research & Intelligence (TRI) team at Bloo performs profiling and ongoing monitoring of threat actors and their related campaigns to keep a track of the latest Advanced Persistent Threats (APTs). To support threat research and detection engineering, the APT tracking task includes threat actor profiling and attribution, campaign tracking and analysis, infrastructure mapping, Tactics, Techniques, and Procedures (TTPs) analysis, historical activity correlation, and geographic attribution. This tracking framework systematically captures and analyzes key parameters for each identified campaign, including the year of activity, campaign involved, malware or tools deployed by the threat actor, malware classification, targeted sectors or victims, assessed motivation, and critical Indicators of Compromise (IOCs) such as malware hashes, command-and-control (C2) infrastructure details, and associated network artifacts.

We use cookies to provide essential site functionality and, with your consent, to analyze site usage and enhance your experience. View our Privacy Policy