runningrat | d536aae3b7468b7598e0e5e39e004bc26a087b81e68c3fdf9205762f2bb6782a | Triage

Sharing

General

Target

ysme.exe
Size

68KB
Sample

240318-pas5qagc83
MD5

63e89bf274c20c083a0fe769e948e2b4
SHA1

ffe988132fc4e69e782f3fc9da8e13c281d1b302
SHA256

d536aae3b7468b7598e0e5e39e004bc26a087b81e68c3fdf9205762f2bb6782a
SHA512

108e8eccba50e0bc91ececd68fdfb3019e42f2d6be04885a29c5b81f288803eebc619a3ec00cf6458b87038d62bfe63ce9c642627742fded111890b3b5fc9c6b
SSDEEP

768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMIIV:BHJaAoHoc2x7bZoYBAcQlwJdMY

Score

10^/10

runningrat persistence rat

Malware Config

Targets

- Target
  
  ysme.exe
- Size
  
  68KB
- MD5
  
  63e89bf274c20c083a0fe769e948e2b4
- SHA1
  
  ffe988132fc4e69e782f3fc9da8e13c281d1b302
- SHA256
  
  d536aae3b7468b7598e0e5e39e004bc26a087b81e68c3fdf9205762f2bb6782a
- SHA512
  
  108e8eccba50e0bc91ececd68fdfb3019e42f2d6be04885a29c5b81f288803eebc619a3ec00cf6458b87038d62bfe63ce9c642627742fded111890b3b5fc9c6b
- SSDEEP
  
  768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMIIV:BHJaAoHoc2x7bZoYBAcQlwJdMY
Score

10^/10

runningrat persistence rat
- RunningRat
  RunningRat is a remote access trojan first seen in 2018.
  rat runningrat
- RunningRat payload
- Sets DLL path for service in the registry
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

runningratpersistencerat

behavioral2

runningratpersistencerat