runningrat | 419d10b439ad860e1c5a2eae42d59eea6977d4c2ce92ef8f4a802c023159364a | Triage

Submit
Reports

Overview

overview

Static

static

419d10b439...4a.exe

windows7-x64

419d10b439...4a.exe

windows10-2004-x64

Sharing

General

Target

419d10b439ad860e1c5a2eae42d59eea6977d4c2ce92ef8f4a802c023159364a
Size

128KB
Sample

221128-q8cfasda2w
MD5

c6eeb1bb3904f433809ce8b8a12b7c35
SHA1

5b57f8b8f456c33496c7c00744db87406f74e629
SHA256

419d10b439ad860e1c5a2eae42d59eea6977d4c2ce92ef8f4a802c023159364a
SHA512

13c8c96fd97d446793a8d92b651cd0f3ceae65b40b2e71f439971f6b375febf2b92b0b6d40743536f2742122bdd05181885fe6d3aae62dbf9fc0717afe7f3512
SSDEEP

3072:frTmJ/vElJSz42qljMMMMMMmugPo5OOLcBfNTYRAHNl48xuZt/:DTqvgJG4hljMMMMMMmu6o5OOLcBfNTYJ

Score

10^/10

runningrat evasion persistence rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

419d10b439ad860e1c5a2eae42d59eea6977d4c2ce92ef8f4a802c023159364a.exe

Resource

win7-20221111-en

runningrat persistence rat

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

419d10b439ad860e1c5a2eae42d59eea6977d4c2ce92ef8f4a802c023159364a.exe

Resource

win10v2004-20220812-en

runningrat evasion persistence rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  419d10b439ad860e1c5a2eae42d59eea6977d4c2ce92ef8f4a802c023159364a
- Size
  
  128KB
- MD5
  
  c6eeb1bb3904f433809ce8b8a12b7c35
- SHA1
  
  5b57f8b8f456c33496c7c00744db87406f74e629
- SHA256
  
  419d10b439ad860e1c5a2eae42d59eea6977d4c2ce92ef8f4a802c023159364a
- SHA512
  
  13c8c96fd97d446793a8d92b651cd0f3ceae65b40b2e71f439971f6b375febf2b92b0b6d40743536f2742122bdd05181885fe6d3aae62dbf9fc0717afe7f3512
- SSDEEP
  
  3072:frTmJ/vElJSz42qljMMMMMMmugPo5OOLcBfNTYRAHNl48xuZt/:DTqvgJG4hljMMMMMMmu6o5OOLcBfNTYJ
Score

10^/10

runningrat persistence rat evasion
- Modifies firewall policy service
  evasion
- RunningRat
  RunningRat is a remote access trojan first seen in 2018.
  rat runningrat
- RunningRat payload
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Creates a Windows Service
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

runningratpersistencerat

behavioral2

runningratevasionpersistencerat

© 2018-2025

Terms | Privacy