What is Crimson RAT?
Crimson RAT is a Remote Access Trojan (RAT) that has been in active use for several years, consistently linked to the threat actor known as Transparent Tribe (also tracked as APT36). Crimson RAT is purpose-built for cyber-espionage; designed to silently infiltrate victim systems, establish persistent access, and exfiltrate sensitive information under the operator's command.
In this analysis, we examined a specific sample, named RingBell.exe, which is executed in a controlled virtual environment. The goal is to understand exactly what this malware does from the moment it lands on a system to when it reaches out to its command-and-control (C2) infrastructure, and to extract every possible indicator that defenders can use to detect or block it.
This sample is attributed to APT36 (Transparent Tribe), a well-resourced nation-state threat actor with a documented history of targeting Indian government, defence, and education institutions.
Threat Actor Profile
Transparent Tribe is one of the most consistently active South Asia-focused threat groups. The group operates with a primary intelligence-gathering mandate, targeting organisations tied to the Indian government, military, and academic institutions. Unlike financially motivated criminal groups, their objective is strategic: stealing sensitive communications, defence intelligence, and operational data.
The group is tracked under an unusually large number of aliases across the security industry:
- APT36
- Transparent Tribe
- COPPER FIELDSTONE
- Mythic Leopard
- ProjectM
- Earth Karkaddan
- Operation C-Major
- Green Havildar
- Storm-0156
- TMP.Lapis
- APT-C-56
The group's geographic focus is firmly on India and South Asian nations. Their primary targets include Indian defence and government organisations, Indian educational institutions, and law enforcement bodies, notably the Jammu & Kashmir Police. Their motivation is unambiguously espionage rather than financial gain, and they rely heavily on spear-phishing campaigns with malicious attachments as the initial access vector.
Static File Analysis
Examining the file's structure, metadata, imports, and embedded strings without executing anything.
Note: An entropy of 6.072 is in the moderate range. Values above 7.0–7.5 typically indicate packing or encryption. Also,when submitted to VirusTotal, the sample scored a detection rate of 52 out of 66 antivirus engines, an exceptionally high detection rate that confirms this is a well-known malware family.
EXE file static Info
DLLs/Libraries used by the malicious EXE
As per static analysis, this sample imports two libraries: mscoree.dll [Microsoft .NET Runtime Execution Engine] and user32.dll [Multi-User Windows USER API Client Library]. The reliance on mscoree.dll confirms this is a managed .NET application. The presence of user32.dll (imported via P/Invoke) suggests the malware makes direct calls to Windows USER API functions for interacting with the operating system, consistent with reading system information, managing windows, or interacting with the desktop environment.
Suspicious Windows strings (Classes & Functions) used by the malicious EXE
The malware can load data into memory, check what processes are running, write files to disk, create directories, and execute payloads.
Behavioral Analysis
Process Activity
Malicious EXE executed and Changes in Processes & Registry Monitored
Process Tree
Registry Activity
There were many activities related to the registry after executing the malware.
Registry Changes Captured
RUN Registry Modification
Ringbell.exe added to Startup Apps
Windows Startup settings independently confirmed "RingBell" was listed as a High Impact startup application, meaning Windows itself flagged it as significantly resource-consuming.
Network Activity
FakeNet-NG simulated internet connectivity inside the sandbox and captured all outbound network behaviour.
Indicators of Compromise
Below are the IOCs for the malware detonated in the virtual environment. Network-Based IOCs
161.97.176.42:10019
swissaccount.ddns.net
192.0.2.123:10019
swissaccount.ddns.net
131.107.255.255
dns.msftncsi.com
File-Based IOCs
MD5: A59C328D69FD858D116067159B0CFBF2
SHA1: 12AC5CF88335E14C483F05595D85415AD0A16277
SHA-256: 8B786784C172C6F8B241B1286A2054294E8DC2C167D9B4DAAE0E310A1D923BA0
Registry IOC
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RingBell
MITRE ATT&CK Mapping
Below is the MITRE ATT&CK Mapping for the malware detonated in the virtual environment.
Detection Opportunities
Detection opportunities for the malware detonated in the virtual environment.
- Detect repeated queries or writes against HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run from the suspicious execution chain.
- Monitor for suspicious child processes for the parent process (explorer.exe)
- Detect for execution of unsigned executables and scripts from user-writable paths such as Desktop, Temp, AppData, and Downloads.
- Detect and investigate traffic to the Dynamic DNS (DynDNS) domains, such as"swissaccount.ddns.net" in this case.
Conclusion
The analysis of RingBell.exe (CrimsonRAT) confirms it to be a malicious remote access trojan, consistent across both static and dynamic examination. By observing the sample in action, after execution, RingBell.exe performed environment reconnaissance, gathering the computer name and language settings, likely to fingerprint the victim machine. It then established persistence by modifying an autorun registry key, ensuring it would automatically relaunch on every system restart, a deliberate effort to maintain long-term access to the compromised host rather than achieve a one-time objective. Most significantly, the sample initiated a DNS query to a Dynamic DNS domain, a strong behavioral indicator of command-and-control communication, as DynDNS services are frequently abused to give malware a stable-looking hostname while allowing operators to relocate the actual C2 infrastructure at will. The tooling, behavior, and code characteristics observed align closely with previously documented activity attributed to Transparent Tribe (APT36), a threat actor with an extensive operational history of targeting government, defence, and education sector entities across India and South Asia.