runningrat | 6d823aaee80cffb8da420d5a54086268 | Triage

Sharing

General

Target

6d823aaee80cffb8da420d5a54086268
Size

48KB
MD5

6d823aaee80cffb8da420d5a54086268
SHA1

f8607a13d57629be64d93645a140e9e568cae185
SHA256

49904badb0dc2947be87c4aef2bd3646ed0dd566826b5c003a2b7e15ca59b04c
SHA512

018332a0bcb18b015f2dbaa6319111ac07e69c8d284d4cd5879fd7a397583500da34916031752502dc6680a46c52a67d691813b24802a2768c31a45533fb1ec7
SSDEEP

768:BR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMI+V:8aAoHoc2x7bZoYBAcQlwJdMG

Score

10^/10

runningrat

Malware Config

Signatures

RunningRat payload 1 IoCs

Processes:

resource	yara_rule
sample	family_runningrat

Runningrat family
runningrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
6d823aaee80cffb8da420d5a54086268

Files

6d823aaee80cffb8da420d5a54086268
.dll windows:4 windows x86 arch:x86

6a6702f5b47319e63a51e781cbc02006

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord5683
ord4129
ord825
ord800
ord823
ord537

msvcrt

_adjust_fdiv
malloc
_initterm
free
strstr
_except_handler3
__CxxFrameHandler
_access
srand
rand
_mkdir

kernel32

CloseHandle
CreateFileA
WriteFile
GetTickCount
GetLastError
GetFileAttributesA
lstrcpyA
DisableThreadLibraryCalls
ExpandEnvironmentStringsA
MoveFileExA
DeleteFileA
GetCommandLineA
LoadLibraryA
GetProcAddress
GetLocalTime
FreeLibrary

user32

wsprintfA

Exports

Exports

Main

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 38KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 752B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 438B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ