runningrat | ysme[.]exe | Triage

Sharing

General

Target

ysme.exe
Size

68KB
MD5

63e89bf274c20c083a0fe769e948e2b4
SHA1

ffe988132fc4e69e782f3fc9da8e13c281d1b302
SHA256

d536aae3b7468b7598e0e5e39e004bc26a087b81e68c3fdf9205762f2bb6782a
SHA512

108e8eccba50e0bc91ececd68fdfb3019e42f2d6be04885a29c5b81f288803eebc619a3ec00cf6458b87038d62bfe63ce9c642627742fded111890b3b5fc9c6b
SSDEEP

768:BCB8S+OR7dOahyoHokBtqN74W7bZZmYb9PyzcjRlYlwa6NVdkPnJJMIIV:BHJaAoHoc2x7bZoYBAcQlwJdMY

Score

10^/10

runningrat

Malware Config

Signatures

RunningRat payload 1 IoCs

resource	yara_rule
sample	family_runningrat

Runningrat family
runningrat

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
ysme.exe

Files

ysme.exe
.exe windows:4 windows x86 arch:x86

1b365823829e2ac9bfb0aa5d328240a4

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

??1type_info@@UAE@XZ
??3@YAXPAX@Z
_CxxThrowException
__CxxFrameHandler

kernel32

HeapAlloc
SetUnhandledExceptionFilter
CreateThread
WaitForSingleObject
ExitProcess
CloseHandle
GetProcessHeap
GetProcAddress
LoadLibraryA
HeapReAlloc
VirtualFree
FreeLibrary
VirtualAlloc
IsBadReadPtr

Exports

Exports

dd373_dll

Sections

.text
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 48KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 752B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ