Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    799KB

  • Sample

    230608-gyxh2sde4w

  • MD5

    ad88f1455f3a22bf958b8c2934096007

  • SHA1

    dd8e20e4bb6ee8fa198df78053da606248671587

  • SHA256

    119118f174d90c3dcfec3e81ef99bb4497b285a3c00b80a5fb12091d9591ce04

  • SHA512

    9106b195e9ce35d559cbf2e9154b2c8a355f8b1e0a5db8fa1bb59bc102c53ed5fc6b246a4a7124b0c776149bbd38c7323425e94a9c89f26e539f04ae416e5d6f

  • SSDEEP

    12288:2MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9j26MMnj:2nsJ39LyjbJkQFMhmC+6GD9gQ

Score
10/10
runningratpersistencerat

Malware Config

Targets

    • Target

      tmp

    • Size

      799KB

    • MD5

      ad88f1455f3a22bf958b8c2934096007

    • SHA1

      dd8e20e4bb6ee8fa198df78053da606248671587

    • SHA256

      119118f174d90c3dcfec3e81ef99bb4497b285a3c00b80a5fb12091d9591ce04

    • SHA512

      9106b195e9ce35d559cbf2e9154b2c8a355f8b1e0a5db8fa1bb59bc102c53ed5fc6b246a4a7124b0c776149bbd38c7323425e94a9c89f26e539f04ae416e5d6f

    • SSDEEP

      12288:2MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9j26MMnj:2nsJ39LyjbJkQFMhmC+6GD9gQ

    Score
    10/10
    runningratpersistencerat

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

      ratrunningrat

    • RunningRat payload

    • Sets DLL path for service in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks