Overview

overview

10

Static

static

10

7394542abb...f4.exe

windows7-x64

10

7394542abb...f4.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4

  • Size

    84KB

  • Sample

    221127-ws6l4agf73

  • MD5

    347a3d54f1eb89003fc3ffc15eecc9fa

  • SHA1

    d59b10e282d5a84cfbcd92accb69c8dadfd262eb

  • SHA256

    7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4

  • SHA512

    b0a515b732e0438a7ee905e3ba2eafb7ac221f8323470a2c30ea970881bdadca9cc2b7b0ffc712a5617eb0fb893b1696c7a8cc0efa1473afadc9fdcd7459fb30

  • SSDEEP

    1536:/fFYrHzmJcABxt2mE5OAkYJLz4agc5fHLl71Bxdm+Zz8Dq:arTmJ/vElJLz4axLl1BxHZU

Score
10/10
runningratevasionpersistencerat

Malware Config

Targets

    • Target

      7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4

    • Size

      84KB

    • MD5

      347a3d54f1eb89003fc3ffc15eecc9fa

    • SHA1

      d59b10e282d5a84cfbcd92accb69c8dadfd262eb

    • SHA256

      7394542abb42ff616b8b8dc70d65a6fbd11991f545e03b31886920b886eb54f4

    • SHA512

      b0a515b732e0438a7ee905e3ba2eafb7ac221f8323470a2c30ea970881bdadca9cc2b7b0ffc712a5617eb0fb893b1696c7a8cc0efa1473afadc9fdcd7459fb30

    • SSDEEP

      1536:/fFYrHzmJcABxt2mE5OAkYJLz4agc5fHLl71Bxdm+Zz8Dq:arTmJ/vElJLz4axLl1BxHZU

    Score
    10/10
    runningratpersistenceratevasion

    • Modifies firewall policy service

      evasion

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

      ratrunningrat

    • RunningRat payload

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks